CVE-2023-24497

Name of the Vulnerable Software and Affected Versions Milesight VPN version 2.0.2

Description Cross-site scripting (xss) vulnerabilities exist in the requestHandlers.js detail device functionality. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger these vulnerabilities. This issue is exploited through the remote subnet field of the database.

Recommendations For Milesight VPN version 2.0.2, consider disabling the detail device functionality in requestHandlers.js until a patch is available. Restrict access to the remote subnet field of the database to minimize the risk of exploitation. Avoid using the remote subnet field in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.