Details of VAR-200710-0193

ID

VAR-200710-0193

CVE

CVE-2007-5213

TITLE

AXIX 2100 Network Camera Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2007-006179

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to perform actions as administrators, as demonstrated by (1) an SMTP server change through the conf_SMTP_MailServer1 parameter to ServerManager.srv and (2) a hostname change through the conf_Network_HostName parameter on the Network page. AXIX 2100 Network Camera Contains a cross-site scripting vulnerability.An action could be taken by a third party as an administrator. Axis Communications 2100 Network Camera is prone to multiple input-validation vulnerabilities, including a cross-site scripting issue, multiple HTML-injection issues, and a cross-site request-forgery issue, because the application fails to properly sanitize user-supplied input. Exploiting these issues could allow an attacker to execute arbitrary script code in the context of the webserver process, control how the site is rendered to the user, compromise the application, obtain sensitive information, and access or modify data. These issues affect 2100 Network Cameras with firmware version 2.43; other firmware versions and models may also be affected

Trust: 1.98

sources: NVD: CVE-2007-5213 // JVNDB: JVNDB-2007-006179 // BID: 25837 // VULHUB: VHN-28575

AFFECTED PRODUCTS

vendor:	axis	model:	2100 network camera	scope:	eq	version:	2.02	Trust: 1.6
vendor:	axis	model:	2100 network camera	scope:	lte	version:	2.42	Trust: 1.0
vendor:	axis	model:	2100 network camera	scope:	lte	version:	2.02 and 2.43 firmware	Trust: 0.8
vendor:	axis	model:	2100 network camera	scope:	eq	version:	2.42	Trust: 0.6
vendor:	axis	model:	communications network camera	scope:	eq	version:	21002.43	Trust: 0.3

sources: BID: 25837 // JVNDB: JVNDB-2007-006179 // CNNVD: CNNVD-200710-067 // NVD: CVE-2007-5213

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2007-5213
value:	HIGH
Trust: 1.0
NVD:	CVE-2007-5213
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200710-067
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-28575
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2007-5213
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-28575
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-28575 // JVNDB: JVNDB-2007-006179 // CNNVD: CNNVD-200710-067 // NVD: CVE-2007-5213

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-28575 // JVNDB: JVNDB-2007-006179 // NVD: CVE-2007-5213

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200710-067

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-200710-067

CONFIGURATIONS

sources: JVNDB: JVNDB-2007-006179

PATCH

title:

Top Page

url:

http://www.axis.com/index.htm

Trust: 0.8

sources: JVNDB: JVNDB-2007-006179

EXTERNAL IDS

db:	NVD	id:	CVE-2007-5213	Trust: 2.8
db:	BID	id:	25837	Trust: 2.0
db:	OSVDB	id:	39490	Trust: 1.7
db:	OSVDB	id:	39491	Trust: 1.7
db:	SREASON	id:	3188	Trust: 1.7
db:	JVNDB	id:	JVNDB-2007-006179	Trust: 0.8
db:	BUGTRAQ	id:	20070928 OWNING BIG BROTHER: HOW TO CRACK INTO AXIS IP CAMERAS	Trust: 0.6
db:	CNNVD	id:	CNNVD-200710-067	Trust: 0.6
db:	VULHUB	id:	VHN-28575	Trust: 0.1

sources: VULHUB: VHN-28575 // BID: 25837 // JVNDB: JVNDB-2007-006179 // CNNVD: CNNVD-200710-067 // NVD: CVE-2007-5213

REFERENCES

url:	http://www.procheckup.com/vulnerability_axis_2100_research.pdf	Trust: 2.0
url:	http://www.securityfocus.com/bid/25837	Trust: 1.7
url:	http://osvdb.org/39490	Trust: 1.7
url:	http://osvdb.org/39491	Trust: 1.7
url:	http://securityreason.com/securityalert/3188	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/480995/100/0/threaded	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5213	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-5213	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/480995/100/0/threaded	Trust: 0.6
url:	http://www.axis.com/files/sales/improving_security_en_0710.pdf	Trust: 0.3
url:	http://www.axis.com/products/camera_servers/index.htm	Trust: 0.3
url:	http://www.axis.com/files/tech_notes/xss_axis2100_security_en_0711.pdf	Trust: 0.3
url:	/archive/1/480995	Trust: 0.3

sources: VULHUB: VHN-28575 // BID: 25837 // JVNDB: JVNDB-2007-006179 // CNNVD: CNNVD-200710-067 // NVD: CVE-2007-5213

CREDITS

ProCheckUp is credited with the discovery of these vulnerabilities.

Trust: 0.3

sources: BID: 25837

SOURCES

db:	VULHUB	id:	VHN-28575
db:	BID	id:	25837
db:	JVNDB	id:	JVNDB-2007-006179
db:	CNNVD	id:	CNNVD-200710-067
db:	NVD	id:	CVE-2007-5213

LAST UPDATE DATE

2024-11-23T22:09:45.971000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-28575	date:	2018-10-15T00:00:00
db:	BID	id:	25837	date:	2016-07-06T14:17:00
db:	JVNDB	id:	JVNDB-2007-006179	date:	2012-12-20T00:00:00
db:	CNNVD	id:	CNNVD-200710-067	date:	2007-10-08T00:00:00
db:	NVD	id:	CVE-2007-5213	date:	2024-11-21T00:37:23.387

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-28575	date:	2007-10-04T00:00:00
db:	BID	id:	25837	date:	2007-09-27T00:00:00
db:	JVNDB	id:	JVNDB-2007-006179	date:	2012-12-20T00:00:00
db:	CNNVD	id:	CNNVD-200710-067	date:	2007-10-04T00:00:00
db:	NVD	id:	CVE-2007-5213	date:	2007-10-04T23:17:00