Vulnerability Description
Multiple cross-site scripting (XSS) vulnerabilities in Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote authenticated users to inject arbitrary web script or HTML via the (1) SYSCONTACT parameter to form/identityApply, as triggered using en/identity.asp; (2) PASSWD parameter to form/accAdd, as triggered using en/account/accedit.asp; (3) NTPSERVER parameter to form/clockApply, as triggered using en/clock.asp; (4) SERVER parameter to form/smtpclientApply, as triggered using en/smtpclient.asp; (5) SERVER parameter to form/ftpApply, as triggered using en/ftp.asp; or (6) SERVER parameter to form/httpEventApply, as triggered using en/httpevent.asp.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Y-Cam | Ycb004 Firmware | 4.30 |
| Y-Cam | Ycb004 | All versions |
| Y-Cam | Ycb002 Firmware | 4.30 |
| Y-Cam | Ycb002 | All versions |
| Y-Cam | Yck002 Firmware | 4.30 |
| Y-Cam | Yck002 | All versions |
| Y-Cam | Yck003 Firmware | 4.30 |
| Y-Cam | Yck003 | All versions |
| Y-Cam | Yceb03 Firmware | 4.30 |
| Y-Cam | Yceb03 | All versions |
| Y-Cam | Ycb001 Firmware | 4.30 |
| Y-Cam | Ycb001 | All versions |
| Y-Cam | Ycblhd5 Firmware | 4.30 |
| Y-Cam | Ycblhd5 | All versions |
| Y-Cam | Ycblb3 Firmware | 4.30 |
| Y-Cam | Ycblb3 | All versions |
| Y-Cam | Ycb003 Firmware | 4.30 |
| Y-Cam | Ycb003 | All versions |
| Y-Cam | Ycw003 Firmware | 4.30 |
| Y-Cam | Ycw003 | All versions |
Related Weaknesses (CWE)
References
- http://www.y-cam.com/y-cam-security-fix/PatchVendor Advisory
- https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2014-007/Exploit
- http://www.y-cam.com/y-cam-security-fix/PatchVendor Advisory
- https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2014-007/Exploit
FAQ
What is CVE-2014-1902?
CVE-2014-1902 is a vulnerability with a CVSS score of 3.5 (LOW). Multiple cross-site scripting (XSS) vulnerabilities in Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD ...
How severe is CVE-2014-1902?
CVE-2014-1902 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-1902?
Check the references section above for vendor advisories and patch information. Affected products include: Y-Cam Ycb004 Firmware, Y-Cam Ycb004, Y-Cam Ycb002 Firmware, Y-Cam Ycb002, Y-Cam Yck002 Firmware.