关键漏洞信息 Title: STVS ProVision 5.9.10 Authenticated Reflected Cross-Site Scripting Advisory ID: ZSL-2021-5624 Type: Local/Remote Impact: Cross-Site Scripting Risk: (3/5) Release Date: 26.01.2021 Summary STVS is a Swiss company specializing in developing software for digital video recording for surveillance cameras as well as the establishment of powerful and user-friendly IP video surveillance networks. Description Input passed to the POST parameter 'files' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site. Vendor STVS SA - http://www.stvs.ch Affected Version 5.9.10 (build 2885-3a8219a) 5.9.9 (build 2882-7c3b787) 5.9.7 (build 2871-4d5938) 5.9.1 (build 2771-1bbded11) 5.9.0 (build 2701-6123026) 5.8.6 (build 2557-84726f7) 5.7 5.6 5.5 Tested On Ubuntu 14.04.3 nginx/1.12.1 nginx/1.4.6 nginx/1.1.19 nginx/0.7.65 nginx/0.3.61 Vendor Status [19.01.2021] Vulnerability discovered. [19.01.2021] Vendor contacted. [25.01.2021] No response from the vendor. [26.01.2021] Public security advisory released. PoC provision_xss.txt Credits Vulnerability discovered by Gjoko Krstic - References 1. https://packetstormsecurity.com/files/161158/STVS-ProVision-5.9.10-Cross-Site-Scripting.html 2. https://cxsecurity.com/issue/WLB-2021010188 3. https://exchange.xforce.ibmcloud.com/vulnerabilities/195723 Changelog [26.01.2021] - Initial release [31.01.2021] - Added reference [1], [2] and [3]