CVE-2023-43260 : Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 was discovered to conta

Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the admin panel.

Published 2023-10-05 19:15:12

Updated 2023-10-11 17:37:28

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-43260

Milesight » Ur32l Firmware
Versions before (<) 35.3.0.7
cpe:2.3:o:milesight:ur32l_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Milesight » Ur32l » Version: N/A
Milesight » Ur32 Firmware
Versions before (<) 35.3.0.7
cpe:2.3:o:milesight:ur32_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Milesight » Ur32 » Version: N/A
Milesight » Ur35 Firmware
Versions before (<) 35.3.0.7
cpe:2.3:o:milesight:ur35_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Milesight » Ur35 » Version: N/A
Milesight » Ur41 Firmware
Versions before (<) 35.3.0.7
cpe:2.3:o:milesight:ur41_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Milesight » Ur41 » Version: N/A
Milesight » Ur51 Firmware
Versions before (<) 35.3.0.7
cpe:2.3:o:milesight:ur51_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Milesight » Ur51 » Version: N/A
Milesight » Ur52 Firmware
Versions before (<) 35.3.0.7
cpe:2.3:o:milesight:ur52_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Milesight » Ur52 » Version: N/A
Milesight » Ur55 Firmware
Versions before (<) 35.3.0.7
cpe:2.3:o:milesight:ur55_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Milesight » Ur55 » Version: N/A

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 27 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

Jump to