Home Security Notice
Security Notice -Reflected Cross-Site Scripting (XSS) Vulnerability in Some Uniview NVR Products
2024-06-14

SA IDUSRC-202406-01

First Published2024-06-14

Summary

Reflected Cross-Site Scripting (XSS) vulnerability found in some Uniview NVR products. An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser.

This vulnerability also requires authentication before it can be exploited, so the scope and severity is limited. Also, even if JavaScript is executed, no additional benefits are obtained.

We advise against using port forwarding and disable UPnP to avoid attacks from the Internet.

CVE ID CVE-2024-3850

Scoring

CVSS v3 is adopted in this vulnerability scoring(http://www.first.org/cvss/specification-document)

Base score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected versions and fixed version:

Product Models

Affected Version

Fixed Version

NVR301-04S3

NVR301-08S3

NVR301-16S3

NVR301-04LS2

NVR301-08LS2

NVR301-04LS3-P4

NVR301-04S3-P4

NVR301-08S3-P8

NVR301-08LS3-P8

NVR301-16LS3-P8

NVR-B3610.32.20.231219

and earlier

NVR-B3610.33.27.240523 and later

NVR301-04S2-P4

NVR-B3801.20.15.200829

and earlier

NVR-B3801.20.17.240507

and later

 

Obtaining fixed firmware

Please use the repair versions for update. You may contact the distribution channel, Service Hotline or regional technical support for help.

Service Hotline/regional technical support: https://global.uniview.com/About_Us/Contact_Us/

Some Uniview products have the capability of cloud upgrade. Relevant repair versions can be obtained through cloud upgrade.

Source of vulnerability information:

Thank CISA for reporting this vulnerability.

Contact Us:

Should you have any security issues or concerns with our products or solutions, please contact us at security@uniview.com.

Back