CVE-2022-40184 JavaScript code in the video jet multi 4000 web interface is not being filtered properly, allowing an attacker with admin credentials to store code and execute it for all admins.

For example, an attacker could inject a script which sends a request to a remote server, receives the results and displays them in the web interface of the VIDEOJET multi 4000. This can be used to obtain information that is protected by the confidentiality policy of the video management software, for example, the list of cameras. Another scenario where an attacker could use this issue is to send a request to a remote server and receive the results in the web interface of the VIDEOJET multi 4000. This could be used to obtain information about the configuration of the video management software that is protected by the integrity policy of the video management software, for example, the list of cameras. In order to exploit this vulnerability, an attacker must have administrative rights on the device that is targeted.

Videojet multi 4000 Remote Code Execution vulnerability CVE-2022-40184

An attacker can exploit a vulnerability in the video management software of videojet multi 4000. This allows an attacker to perform remote code execution by sending a request to a remote server, receiving the results and displaying them in the web interface of the affected device.

Videojet Multi 4000 - Authentication and Authorization

A vulnerability that was discovered in the Videojet Multi 4000, an IP video camera, which allows attackers to obtain information about the configuration of the video management software by sending a request to a remote server and retrieve its results.
In order to exploit this vulnerability, an attacker must have administrative rights on the device that is targeted.

CVE-2022-40185

This vulnerability allows a remote attacker to obtain sensitive information about the configuration of a video management system.
For example, an attacker could inject a script that sends a request to a remote server and receives the results in the web interface of the VIDEOJET multi 4000. This can be used to obtain information that is protected by the confidentiality policy of the video management software, for example, the list of cameras. Another scenario where an attacker could use this issue is to send a request to a remote server and receive the results in the web interface of the VIDEOJET multi 4000. This could be used to obtain information about the configuration of the video management software that is protected by the integrity policy of the video management software, for example, passwords or certificates. In order to exploit this vulnerability, an attacker must have administrative rights on the device that is targeted.

Limitations and restrictions

This vulnerability only affects video management software that is running on a vulnerable application. In order to exploit this vulnerability, the attacker must have administrative rights on the device that is targeted.

Multi 4000 device information disclosure vulnerability

A vulnerability in Videojet's video management software could allow an attacker to obtain confidential information about the device that is targeted.

Timeline

Published on: 10/27/2022 17:15:00 UTC
Last modified on: 10/31/2022 16:16:00 UTC

References

• https://psirt.bosch.com/security-advisories/bosch-sa-454166-bt.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40184