[原文]Multiple cross-site scripting (XSS) vulnerabilities in Mobotix IP Network Cameras M1 18.104.22.168 and M10 22.214.171.124, and other versions before 126.96.36.199 for M10/D10 and 188.8.131.52 for M22, allow remote attackers to inject arbitrary web script or HTML via URL-encoded values in (1) the query string to help/help, (2) the get_image_info_abspath parameter to control/eventplayer, and (3) the source_ip parameter to events.tar.
Mobotix IP Network Camera contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied variables upon submission to the 'help' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version V184.108.40.206 (for camera models M10/D10) or V220.127.116.11 (for camera model M22) or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.