i>>?[+] Title: Axis 2100 Network Camera 2.43 - Reflected XSS
[+] Credits / Discovery: Nassim Asrir
[+] Author Contact: wassline@gmail.com 
[+] Author Company: Henceforth
[+] CVE: CVE-2017-12413
 
Vendor:
===============
 
https://www.axis.com/
  
  
Vulnerability Type:
===================
 
Reflected Cross Site Scripting.
 
 
issue:
===================
 
The value of the URL path filename is copied into the HTML document as plain text between tags.
The payload b8b8w<script>alert(1)</script>rw1wz was submitted in the URL path filename. 
This input was echoed unmodified in the application's response.  This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.  


POC:
===================

http://target/admin/admin.shtmlb8b8w%3cscript%3ealert(1)%3c/script%3erw1wz
  
Tested on:
=============== 
 
Windows 7 (64 Bit)