CVE-2024-3850

MEDIUM NUCLEI

Uniview NVR301-04S2-P4 Firmware < nvr-b3801.20.17.240507 - Authenticated Reflected Cross-Site Scripting

Title source: llm

Exploitation Summary

CVE-2024-3850 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

Uniview NVR301-04S2-P4 is vulnerable to reflected cross-site scripting attack (XSS). An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser. This vulnerability also requires authentication before it can be exploited, so the scope and severity is limited. Also, even if JavaScript is executed, no additional benefits are obtained.

Nuclei Templates (1)

Uniview NVR301-04S2-P4 - Cross-Site Scripting

MEDIUMVERIFIEDby Bleron Rrustemi,r3naissance

FOFA: title="NVR301-04-P4"

References (2)

Core 2

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/news-events/ics-advisories/icsa-24-156-01

Various Sources

https://github.com/r3naissance/nuclei-templates/blob/main/http/cves/2024/CVE-2024-3850.yaml

View Writeup ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0090

EPSS Percentile 54.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

uniview/nvr301-04s2-p4_firmware < nvr-b3801.20.17.240507

Published Jun 10, 2024

Tracked Since Feb 18, 2026