I. ADVISORY INFORMATION ----------------------- Title: Axis Network Cameras Multiple Cross-site scripting Vendor: Axis Communications Class: Improper Input Validation [CWE-20] CVE Name: CVE-2015-8256 Remotely Exploitable: Yes Locally Exploitable: No OLSA-ID: OLSA-2015-8256 vulnerability ------------- AXIS Network Cameras are prone to multiple (stored/reflected) cross-site scripting vulnerability. technical details ----------------- ** STORED XSS # 1 Attacker injects a javascript payload in the vulnerable page (using some social enginner aproach): http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=' ----------------------------------------------------------------^ " and also will create a entry in the genneral log file (/var/log/messages) with the JSPayload: " Apr 11 10:08:45 axis-eac8c03d901 vaconfig.cgi: Could not find application ' A reflected cross-site scripting affects all models of AXIS devices on the same parameter: http:// {axis-cam-model}/view/view.shtml?imagePath=0WLL