CVE-2021-23860: Reflected Cross Site Scripting (XSS) vulnerability in Bosch VRM / BVMS
First published: Wed Dec 08 2021(Updated: )
An error in a page handler of the VRM may lead to a reflected cross site scripting (XSS) in the web-based interface. To exploit this vulnerability an attack must be able to modify the HTTP header that is sent. This issue also affects installations of the DIVAR IP and BVMS with VRM installed.
Credit: psirt@bosch.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bosch Bosch Video Management System | <=9.0 | |
| Bosch Bosch Video Management System | >=10.0<10.0.2 | |
| Bosch Bosch Video Management System | =10.1 | |
| Bosch Bosch Video Management System | =11.0 | |
| Bosch Video Recording Manager | <=3.81 | |
| Bosch Video Recording Manager | >=3.82<=3.82.0057 | |
| Bosch Video Recording Manager | >=3.83<=3.83.0021 | |
| Bosch Video Recording Manager | >=4.0<=4.00.0070 | |
| Bosch Divar Ip 5000 Firmware | ||
| Bosch Divar Ip 7000 Firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-23860?
CVE-2021-23860 is a vulnerability in the VRM (Video Recording Manager) and the web-based interface of Bosch Video Management System (BVMS) that may lead to a reflected cross-site scripting (XSS) attack.
How does CVE-2021-23860 affect Bosch Video Management System (BVMS)?
CVE-2021-23860 affects installations of BVMS versions 9.0 to 11.0, allowing an attacker to exploit a page handler error in the VRM and perform a reflected XSS attack through the web-based interface.
Can CVE-2021-23860 be exploited remotely?
Yes, CVE-2021-23860 can be exploited remotely if the attacker is able to modify the HTTP header that is sent.
Is Bosch Divar IP firmware affected by CVE-2021-23860?
No, Bosch Divar IP 5000 and 7000 firmware are not vulnerable to CVE-2021-23860.
How severe is CVE-2021-23860?
CVE-2021-23860 has a severity score of 6.1 (Medium).
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/title
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- vendor/bosch
- canonical/bosch bosch video management system
- version/bosch bosch video management system/9.0
- version/bosch bosch video management system/10.0
- version/bosch bosch video management system/10.1
- version/bosch bosch video management system/11.0
- canonical/bosch video recording manager
- version/bosch video recording manager/3.81
- version/bosch video recording manager/3.82
- version/bosch video recording manager/3.82.0057
- version/bosch video recording manager/3.83
- version/bosch video recording manager/3.83.0021
- version/bosch video recording manager/4.0
- version/bosch video recording manager/4.00.0070
- canonical/bosch divar ip 5000 firmware
- canonical/bosch divar ip 7000 firmware