CVE-2006-2490

Name of the Vulnerable Software and Affected Versions Mobotix IP Network Cameras M1 version 1.9.4.7 Mobotix IP Network Cameras M10 versions 2.0.5.2 through 2.2.3.18 Mobotix IP Network Cameras M22 versions prior to 3.0.3.31

Description The issue allows remote attackers to inject arbitrary web script or HTML via URL-encoded values in several parameters. Specifically, the vulnerabilities exist in (1) the query string to "help/help", (2) the get image info abspath parameter to "control/eventplayer", and (3) the source ip parameter to "events.tar".

Recommendations For M1 version 1.9.4.7, update to a version later than 1.9.4.7. For M10 versions 2.0.5.2 through 2.2.3.18, update to version 2.2.3.18 or later. For M22 versions prior to 3.0.3.31, update to version 3.0.3.31 or later. As a temporary workaround, consider restricting access to the "help/help" page, the "control/eventplayer" endpoint, and the "events.tar" file until a patch is available. Avoid using URL-encoded values in the get image info abspath and source ip parameters until the issue is resolved.