CVE-2022-28172

Published: Jun 27, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.

Affected (13)

Products: Hikvision: Ds A71024 Firmware, Ds A71048 Firmware, Ds A71072r Firmware, Ds A80624s Firmware, Ds A81016s Firmware, Ds A72024 Firmware, Ds A72072r Firmware, Ds A80316s Firmware, Ds A82024d Firmware, Ds A71048r Cvs Firmware, Ds A72048r Cvs Firmware

11 products

Ds A71048r Cvs Firmware

Ds A72048r Cvs Firmware

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hikvision Ds A71024 Firmware	Up to 2.3.8-6

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A71048 Firmware	Up to 2.3.8-6

Running on/with	Platform Versions
Hikvision Ds A71048	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A71072r Firmware	Up to 2.3.8-6

Running on/with	Platform Versions
Hikvision Ds A71072r	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A80624s Firmware	Up to 2.3.8-6

Running on/with	Platform Versions
Hikvision Ds A80624s	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A81016s Firmware	Up to 2.3.8-6

Running on/with	Platform Versions
Hikvision Ds A81016s	All versions

Configuration F

1 vulnerable

Vulnerable Software	Affected Versions
Hikvision Ds A72024 Firmware	Up to 2.3.8-6

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A72072r Firmware	Up to 2.3.8-6

Running on/with	Platform Versions
Hikvision Ds A72072r	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A80316s Firmware	Up to 2.3.8-6

Running on/with	Platform Versions
Hikvision Ds A80316s	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A82024d Firmware	Up to 2.3.8-6

Running on/with	Platform Versions
Hikvision Ds A82024d	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A71024 Firmware	Up to 1.1.4

Running on/with	Platform Versions
Hikvision Ds A71024	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A71048r Cvs Firmware	Up to 1.1.4

Running on/with	Platform Versions
Hikvision Ds A71048r Cvs	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A72024 Firmware	Up to 1.1.4

Running on/with	Platform Versions
Hikvision Ds A72024	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hikvision Ds A72048r Cvs Firmware	Up to 1.1.4

Running on/with	Platform Versions
Hikvision Ds A72048r Cvs	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html

Source: hsrc@hikvision.com

Third Party AdvisoryVDB Entry

https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products/

Source: hsrc@hikvision.com

Vendor Advisory

http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.