Home

Description

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page.

PUBLISHED Reserved 2026-04-28 | Published 2026-05-04 | Updated 2026-05-04 | Assigner GV




HIGH: 7.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Problem types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

Product status

Default status
unaffected

V1.10
affected

V1.20
unaffected

Timeline

2026-02-17:Initial Vendor Contact

Credits

Philippe Laulheret of Cisco Talos. finder

Kelly Patterson of Cisco Talos. remediation reviewer

Martin Zeiser of Cisco Talos. coordinator

References

www.geovision.com.tw/cyber_security.php vendor-advisory

talosintelligence.com/vulnerability_reports/ third-party-advisory

cve.org (CVE-2026-7371)

nvd.nist.gov (CVE-2026-7371)

Download JSON