Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-22376: Multiple vulnerabilities in PLANEX COMMUNICATIONS Network Camera CS-WMV02G

** UNSUPPORTED WHEN ASSIGNED ** Reflected cross-site scripting vulnerability in Wired/Wireless LAN Pan/Tilt Network Camera CS-WMV02G all versions allows a remote unauthenticated attacker to inject arbitrary script to inject an arbitrary script. NOTE: This vulnerability only affects products that are no longer supported by the developer.

CVE
Open in Source
#xss#vulnerability#web#auth

Published:2023/02/13 Last Updated:2023/02/13

Overview

Wired/Wireless LAN Pan/Tilt Network Camera CS-WMV02G provided by PLANEX COMMUNICATIONS INC. contains multiple vulnerabilities.

Products Affected

  • Wired/Wireless LAN Pan/Tilt Network Camera CS-WMV02G all versions

Description

Wired/Wireless LAN Pan/Tilt Network Camera CS-WMV02G provided by PLANEX COMMUNICATIONS INC. contains multiple vulnerabilities listed below.

  • Stored cross-site scripting (CWE-79) - CVE-2023-22370

    CVSS v3

    CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    Base Score: 4.8

    CVSS v2

    AV:A/AC:M/Au:S/C:N/I:P/A:N

    Base Score: 2.3

  • Cross-site request forgery (CWE-352) - CVE-2023-22375

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    Base Score: 4.3

    CVSS v2

    AV:N/AC:H/Au:N/C:N/I:P/A:N

    Base Score: 2.6

  • Reflected cross-site scripting (CWE-79) - CVE-2023-22376

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Base Score: 6.1

    CVSS v2

    AV:N/AC:H/Au:N/C:N/I:P/A:N

    Base Score: 2.6

Impact

  • An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-22370, CVE-2023-22376
  • If a user views a malicious page while logged in, unintended operations may be performed - CVE-2023-22375

Solution

Stop using the product
The developer states that the product is no longer supported, therefore recommends users to stop using the product.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2023-22370
Yudai Morii, Takaya Noma, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2023-22375, CE-2023-22376
Takayuki Sasaki, Yudai Morii, Takaya Noma and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE