CVE-2014-1902 Information

Feb 14, 2021 cve

Description

Multiple cross-site scripting (XSS) vulnerabilities in Y-Cam camera models SD range YCB003 YCK003 and YCW003; S range YCB004 YCK004 YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002 YCK002 and YCW003; and Y-cam Original Range YCB001 YCW001 running firmware 4.30 and earlier allow remote authenticated users to inject arbitrary web script or HTML via the (1) SYSCONTACT parameter to form/identityApply as triggered using en/identity.asp; (2) PASSWD parameter to form/accAdd as triggered using en/account/accedit.asp; (3) NTPSERVER parameter to form/clockApply as triggered using en/clock.asp; (4) SERVER parameter to form/smtpclientApply as triggered using en/smtpclient.asp; (5) SERVER parameter to form/ftpApply as triggered using en/ftp.asp; or (6) SERVER parameter to form/httpEventApply as triggered using en/httpevent.asp.

Reference

http://www.y-cam.com/y-cam-security-fix/ https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2014-007/?fid=3850

Share on: