CVE-2023-24496

Name of the Vulnerable Software and Affected Versions Milesight VPN version 2.0.2

Description Cross-site scripting (xss) vulnerabilities exist in the requestHandlers.js detail device functionality. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger these vulnerabilities. This XSS is exploited through the name field of the database.

Recommendations For Milesight VPN version 2.0.2, consider disabling the detail device functionality in requestHandlers.js until a patch is available. Restrict access to the name field of the database to minimize the risk of exploitation. Avoid using the name field in the affected API endpoint until the issue is resolved.