Cross-Site Scripting Vulnerability in Milesight VPN by Milesight
CVE-2023-24496

4.7MEDIUM

Key Information:

Vendor: Milesight
Status: Milesightvpn
Vendor: CVE Published:; 6 July 2023

What is CVE-2023-24496?

The Milesight VPN version 2.0.2 is susceptible to cross-site scripting vulnerabilities, particularly in the requestHandlers.js detail_device functionality. An attacker can exploit this flaw by sending a specially-crafted HTTP request that injects arbitrary JavaScript code. The exploitation occurs via the name field in the database, allowing unauthorized actions and potentially compromising user data.

Affected Version(s)

MilesightVPN v2.0.2

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 6, 2023
Vulnerability Reserved
Jan 24, 2023

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-24496 Data

JSON