CVE-2007-5214

Name of the Vulnerable Software and Affected Versions AXIS 2100 Network Camera version 2.02 with firmware 2.43 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via several methods, including the PATH INFO to the default URI associated with a directory, such as the root directory or the view/ directory. Additionally, parameters associated with saved settings, like the conf Network HostName parameter on the Network page and the conf Layout OwnTitle parameter to ServerManager.srv, are vulnerable. The query string to ServerManager.srv, which is displayed on the logs page, is also affected. An attacker can leverage a CSRF vulnerability to modify saved settings.

Recommendations For AXIS 2100 Network Camera version 2.02 with firmware 2.43 and earlier, consider disabling the ability to inject parameters into the PATH INFO to the default URI associated with a directory, and restrict access to the conf Network HostName and conf Layout OwnTitle parameters until a patch is available. Avoid using the query string to ServerManager.srv until the issue is resolved. As a temporary workaround, restrict access to the logs page to minimize the risk of exploitation.