CVE-2014-1902

Name of the Vulnerable Software and Affected Versions Y-Cam camera models SD range versions 4.30 and earlier Y-Cam camera models S range versions 4.30 and earlier Y-Cam EyeBall version 4.30 and earlier Y-Cam Bullet VGA versions 4.30 and earlier Y-Cam Bullet HD 720 version 4.30 and earlier Y-cam Classic Range versions 4.30 and earlier Y-cam Original Range versions 4.30 and earlier

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via several parameters, including the SYSCONTACT parameter to "form/identityApply" as triggered using "en/identity.asp", the PASSWD parameter to "form/accAdd" as triggered using "en/account/accedit.asp", the NTPSERVER parameter to "form/clockApply" as triggered using "en/clock.asp", the SERVER parameter to "form/smtpclientApply" as triggered using "en/smtpclient.asp", the SERVER parameter to "form/ftpApply" as triggered using "en/ftp.asp", or the SERVER parameter to "form/httpEventApply" as triggered using "en/httpevent.asp".

Recommendations For Y-Cam camera models SD range versions 4.30 and earlier, update the firmware to a version later than 4.30. For Y-Cam camera models S range versions 4.30 and earlier, update the firmware to a version later than 4.30. For Y-Cam EyeBall version 4.30 and earlier, update the firmware to a version later than 4.30. For Y-Cam Bullet VGA versions 4.30 and earlier, update the firmware to a version later than 4.30. For Y-Cam Bullet HD 720 version 4.30 and earlier, update the firmware to a version later than 4.30. For Y-cam Classic Range versions 4.30 and earlier, update the firmware to a version later than 4.30. For Y-cam Original Range versions 4.30 and earlier, update the firmware to a version later than 4.30. As a temporary workaround, consider restricting access to the vulnerable parameters, such as SYSCONTACT, PASSWD, NTPSERVER, and SERVER, until a patch is available.