Selea Targa IP OCR-ANPR Camera Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Selea Targa IP OCR-ANPR Camera. This issue resides in the 'files_list' parameter, allowing attackers to inject malicious HTML and script code. The vulnerability can be exploited by sending a POST request to '/cgi-bin/get_file.php' with a crafted payload, which then executes arbitrary scripts in the context of the victim's browser session.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/get_file.php' with the 'files_list' parameter containing the injected script or HTML. The injected content will be executed in the user's browser session when the file list is accessed.

Remediation

The vendor has released patches for this vulnerability in newer versions of the camera firmware and the CarPlateServer software.