cbcvebase.
CVE-2015-8256
published 2017-04-17

CVE-2015-8256: Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.

PriorityP350medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
50.75%
98.8th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=prompt("AXIS_PASSWORD:")
urlhttp://{axishost}/axis-cgi/admin/systemlog.cgi?id
urlhttp://{axis-cam-model}/view/view.shtml?imagePath=0WLLalert('AXIS-XSS')alert('SmithW')
urlhttp://{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E
urlhttp://{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axisalert(1)
path{HTMLROOT}/showReport.shtml
path{HTMLROOT}/config.shtml
path{HTMLROOT}/incl/top_incl.shtml
path{HTMLROOT}/incl/popup_header.shtml
path{HTMLROOT}/incl/page_header.shtml
path{HTMLROOT}/incl/top_incl_popup.shtml
path{HTMLROOT}/viewAreas.shtml
path{HTMLROOT}/vmd.shtml
path{HTMLROOT}/custom_whiteBalance.shtml
path{HTMLROOT}/playWindow.shtml
path{HTMLROOT}/incl/ptz_incl.shtml
path{HTMLROOT}/view.shtml
path{HTMLROOT}/streampreview.shtml
  • Monitor HTTP requests to /axis-cgi/vaconfig.cgi with a 'name' parameter containing JavaScript payloads (e.g., script tags, alert(), prompt()) — this is the stored XSS injection vector that writes to /var/log/messages.
  • Monitor HTTP requests to /operator/recipient_test.shtml with a 'protocol' parameter containing URL-encoded script tags (e.g., %3Cscript%3E) — reflected XSS vector.
  • Monitor HTTP requests to /admin/showReport.shtml with a 'pageTitle' parameter containing JavaScript payloads — reflected XSS vector.
  • Monitor HTTP requests to /view/view.shtml with an 'imagePath' parameter containing JavaScript payloads — reflected XSS affecting all AXIS device models.
  • The stored XSS payload injected via vaconfig.cgi is triggered when an admin views system logs at /axis-cgi/admin/systemlog.cgi — correlate injection requests with subsequent log-viewing sessions.
  • The XSS vulnerabilities can be chained with CSRF to perform privileged actions (create/edit/remove users and applications) — look for unexpected admin API calls following XSS trigger events.
  • ·No vendor patch or workaround was provided at the time of disclosure; the vulnerability remains unmitigated per the advisory.
  • ·The reflected XSS affects ALL models of AXIS devices on the same vulnerable parameters, broadening the detection scope.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.