Uniview has a fix available to handle a cross-site scripting vulnerability in its NVR301-04S2-P4 where public exploits are available, according to a report with CISA.

In the remotely exploitable vulnerability, an attacker could send a user a URL if clicked on could execute malicious JavaScript in their browser. CISA discovered a public Proof of Concept (PoC) as authored by Bleron Rrustemi and reported it to Uniview.

The following version of Uniview NVR, a network video recorder, suffers from the issue: NVR301-04S2-P4, versions prior to NVR-B3801.20.17.240507.

In the issue, the affected product is vulnerable to reflected cross-site scripting attack (XSS). An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser. This vulnerability also requires authentication before it could end up exploited, so there is a limit on the scope and severity. Also, even if JavaScript ends up executed, there are no additional benefits.

CVE-2024-3850 is the case number for this vulnerability, which has a CVSS v3.1 base score of 5.4. There is also a CVSS v4 base score of 4.8.

Schneider Bold

The product sees action mainly in the commercial facilities sector, and on a global basis.

China-based Uniview encourages users to obtain the fixed version, Uniview NVR-B3801.20.17.240507, and update. Connect with  your local dealer, Uniview Service Hotline, or regional technical support for assistance.

ISSSource

Pin It on Pinterest

Share This