-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-020 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401 Tested Version(s): 5.2401 Vulnerability Type: Reflected Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-04-05 Solution Date: 2024-07-31 Public Disclosure: 2024-09-04 CVE Reference: CVE-2024-45176 Authors of Advisory: Chris Beiter, Frederik Beimgraben, and Matthias Deeg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product C-MOR is an IP video surveillance system. The manufacturer describes the product as follows: "With C-MOR video surveillance, it is possible to check your surveillance over network and the Internet. You can access the live view as well as previous recordings from any PC or mobile device. C-MOR is managed and controlled over the C-MOR web interface. IP settings, camera recording setup, user rights and so on are set over the web without the installation of any software on the client."[1] Due to improper input validation, the C-MOR web interface is vulnerable to reflected cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the C-MOR web interface, it was found that different functions are prone to reflected cross-site scripting attacks due to insufficient user input validation. This kind of attack allows an attacker to send a manipulated link to an authenticated victim in order to execute arbitrary JavaScript code in the context of the victim's web browser. Reflected cross-site scripting vulnerabilities were found in the following C-MOR scripts and exploited via different URL parameters, for instance the parameter "ujava": * index-de.plm * list-timelapse.plm * list-motion.plm * setdelays.plm * show-movies.plm * show-movies-f.plm * uploadcambackup.plm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following three sample attack vectors exemplarily demonstrate the found security issue. 1) index-de.plm The following URL is an example of an attack vector exploiting a reflected cross-site scripting vulnerability via the URL parameter "ujava" of the web interface index page "index-de.plm": https:///index-de.pml?ujava=">/list-timelapse.pml?days=1100&cam=cam1">/show-movies.pml?cam=cam1&days=">