Cross-Site Scripting Vulnerabilities in Milesight VPN by Milesight
CVE-2023-24497

4.7MEDIUM

Key Information:

Vendor: Milesight
Status: Milesightvpn
Vendor: CVE Published:; 6 July 2023

What is CVE-2023-24497?

Cross-site scripting vulnerabilities have been identified in the 'detail_device' functionality of the requestHandlers.js in Milesight VPN version 2.0.2. These vulnerabilities can be exploited by sending specifically crafted HTTP requests that allow an attacker to inject arbitrary JavaScript code. The exploitation occurs via the remote_subnet field in the database, making it critical for users to apply appropriate security measures to mitigate potential risks.

Affected Version(s)

MilesightVPN v2.0.2

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 6, 2023
Vulnerability Reserved
Jan 24, 2023

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-24497 Data

JSON