Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in Apeman ID71 EN75.8.53.20. The affected element is an unknown function of the file /set_alias.cgi. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site scripting (XSS) in Apeman ID71 EN75.8.53.20 allows authenticated remote attackers to inject malicious scripts via the alias parameter in /set_alias.cgi, requiring user interaction for payload execution. Publicly available exploit code exists, but EPSS score of 0.03% and vendor non-responsiveness suggest limited real-world exploitation despite confirmed POC availability.
Technical ContextAI
The vulnerability exists in the /set_alias.cgi endpoint of Apeman ID71 IP cameras, a budget-class network camera device. The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw where user-supplied input in the 'alias' parameter is not properly sanitized before being reflected in HTTP responses or stored in the device configuration. This allows injection of arbitrary JavaScript code that executes in the context of an authenticated user's browser session. The CVSS v4.0 vector indicates network-accessible endpoint, low attack complexity, and requires prior authentication (PR:L) plus user interaction (UI:P) to trigger the payload, limiting the practical attack surface.
Affected ProductsAI
Apeman ID71 version EN75.8.53.20 is confirmed affected. The vulnerability is specific to this device model and version; whether earlier or later firmware versions are affected is not documented in available sources. No CPE string was provided in source data. The vendor (Apeman) has not released a public advisory or patch statement despite early disclosure notification.
RemediationAI
No vendor-released patch identified at time of analysis, as the manufacturer did not respond to early disclosure. For affected users, immediate mitigation requires restricting administrative access to the device to trusted networks only and disabling remote management features if not required. Implement network-level controls such as requiring VPN access to the camera, isolating the device on a separate IoT VLAN with strict egress filtering, and disabling the web interface entirely if management is not needed. Users should avoid clicking on untrusted links while authenticated to the device and consider replacing the device with a maintained alternative if remote management is required. Because no patch will likely be issued, security-conscious deployments should assume this device is at end-of-life and plan upgrade timelines accordingly.
Share
External POC / Exploit Code
Leaving vuln.today