{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53701", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2025-07-08T14:49:12.283Z", "datePublished": "2025-10-23T13:39:46.472Z", "dateUpdated": "2025-10-23T14:56:20.217Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "VS-IPC1002", "vendor": "Vilar", "versions": [{"status": "affected", "version": "1.1.0.18", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Szymon Paszun"}], "datePublic": "2025-10-23T14:10:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Vilar </span><span style=\"background-color: rgb(255, 255, 255);\">VS-IPC1002 <span style=\"background-color: rgb(255, 255, 255);\">IP cameras are <span style=\"background-color: rgb(255, 255, 255);\">vulnerable to Reflected XSS (Cross-site Scripting) </span><span style=\"background-color: rgb(255, 255, 255);\">attacks, because parameters in </span><span style=\"background-color: rgb(255, 255, 255);\">GET requests sent to /cgi-bin</span>/action endpoint are not sanitized properly, making it possible to target logged in admin users.</span></span><br>The vendor did not respond in any way. Only version 1.1.0.18 was tested, other versions might be vulnerable as well."}], "value": "Vilar VS-IPC1002 IP cameras are vulnerable to Reflected XSS (Cross-site Scripting) attacks, because parameters in GET requests sent to /cgi-bin/action endpoint are not sanitized properly, making it possible to target logged in admin users.\nThe vendor did not respond in any way. Only version 1.1.0.18 was tested, other versions might be vulnerable as well."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 4.8, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-10-23T13:39:46.472Z"}, "references": [{"url": "https://cert.pl/en/posts/2025/10/CVE-2025-53701"}], "source": {"discovery": "EXTERNAL"}, "tags": ["unsupported-when-assigned"], "title": "XSS vulnerability in Vilar VS-IPC1002 IP cameras", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-23T14:56:06.990606Z", "id": "CVE-2025-53701", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-23T14:56:20.217Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53701", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-23T14:56:06.990606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-23T14:56:13.702Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "XSS vulnerability in Vilar VS-IPC1002 IP cameras", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Szymon Paszun"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Vilar", "product": "VS-IPC1002", "versions": [{"status": "affected", "version": "1.1.0.18", "versionType": "custom"}], "defaultStatus": "unknown"}], "datePublic": "2025-10-23T14:10:00.000Z", "references": [{"url": "https://cert.pl/en/posts/2025/10/CVE-2025-53701"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Vilar VS-IPC1002 IP cameras are vulnerable to Reflected XSS (Cross-site Scripting) attacks, because parameters in GET requests sent to /cgi-bin/action endpoint are not sanitized properly, making it possible to target logged in admin users.\nThe vendor did not respond in any way. Only version 1.1.0.18 was tested, other versions might be vulnerable as well.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Vilar </span><span style=\"background-color: rgb(255, 255, 255);\">VS-IPC1002 <span style=\"background-color: rgb(255, 255, 255);\">IP cameras are <span style=\"background-color: rgb(255, 255, 255);\">vulnerable to Reflected XSS (Cross-site Scripting) </span><span style=\"background-color: rgb(255, 255, 255);\">attacks, because parameters in </span><span style=\"background-color: rgb(255, 255, 255);\">GET requests sent to /cgi-bin</span>/action endpoint are not sanitized properly, making it possible to target logged in admin users.</span></span><br>The vendor did not respond in any way. Only version 1.1.0.18 was tested, other versions might be vulnerable as well.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-10-23T13:39:46.472Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53701", "state": "PUBLISHED", "dateUpdated": "2025-10-23T14:56:20.217Z", "dateReserved": "2025-07-08T14:49:12.283Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2025-10-23T13:39:46.472Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "cvd@cert.pl", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Vilar VS-IPC1002 IP cameras are vulnerable to Reflected XSS (Cross-site Scripting) attacks, because parameters in GET requests sent to /cgi-bin/action endpoint are not sanitized properly, making it possible to target logged in admin users.\nThe vendor did not respond in any way. Only version 1.1.0.18 was tested, other versions might be vulnerable as well."}], "id": "CVE-2025-53701", "lastModified": "2025-10-23T14:15:39.107", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2025-10-23T14:15:39.107", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2025/10/CVE-2025-53701"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"created": "2025-10-24T10:17:08.113226+00:00", "updated": "2025-10-24T10:17:08.113251+00:00", "vendors": ["vilar", "vilar$PRODUCT$vs-ipc1002"]}