CVE-2022-28172

EPSS 0.59%
Veröffentlicht 27.06.2022 18:15:09
Zuletzt bearbeitet 21.11.2024 06:56:53
Quelle hsrc@hikvision.com
CVE-Watchlists
Login
Unerledigt
Login

The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hikvision ≫ Ds-a71024 Firmware Version <= 2.3.8-6

Hikvision ≫ Ds-a71024 Version-

Hikvision ≫ Ds-a71048 Firmware Version <= 2.3.8-6

Hikvision ≫ Ds-a71048 Version-

Hikvision ≫ Ds-a71072r Firmware Version <= 2.3.8-6

Hikvision ≫ Ds-a71072r Version-

Hikvision ≫ Ds-a80624s Firmware Version <= 2.3.8-6

Hikvision ≫ Ds-a80624s Version-

Hikvision ≫ Ds-a81016s Firmware Version <= 2.3.8-6

Hikvision ≫ Ds-a81016s Version-

Hikvision ≫ Ds-a72024 Firmware Version <= 2.3.8-6

Hikvision ≫ Ds-a72024 Version-

Hikvision ≫ Ds-a72072r Firmware Version <= 2.3.8-6

Hikvision ≫ Ds-a72072r Version-

Hikvision ≫ Ds-a80316s Firmware Version <= 2.3.8-6

Hikvision ≫ Ds-a80316s Version-

Hikvision ≫ Ds-a82024d Firmware Version <= 2.3.8-6

Hikvision ≫ Ds-a82024d Version-

Hikvision ≫ Ds-a71024 Firmware Version <= 1.1.4

Hikvision ≫ Ds-a71024 Version-

Hikvision ≫ Ds-a71048r-cvs Firmware Version <= 1.1.4

Hikvision ≫ Ds-a71048r-cvs Version-

Hikvision ≫ Ds-a72024 Firmware Version <= 1.1.4

Hikvision ≫ Ds-a72024 Version-

Hikvision ≫ Ds-a72048r-cvs Firmware Version <= 1.1.4

Hikvision ≫ Ds-a72048r-cvs Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.59%	0.688

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
hsrc@hikvision.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html

Third Party Advisory

VDB Entry

https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-28172

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-28172

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-28172

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-28172