Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.
AnalysisAI
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 1.10 web interface (ssi.cgi) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability achieves scope change (S:C in CVSS), enabling access to high-confidentiality data across security contexts despite requiring user interaction. No public exploit code or CISA KEV listing identified at time of analysis, though vendor advisory confirms the flaw. EPSS data not available. The RCE tag appears to be a mislabeling - this is strictly client-side JavaScript execution (XSS), not server-side remote code execution.
Technical ContextAI
GeoVision LPC2011/LPC2211 are IP-based license plate capture cameras with embedded web interfaces for device management. The vulnerability resides in the ssi.cgi component (Server Side Include CGI handler), which fails to sanitize user-supplied input before reflecting it in HTTP responses. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the application accepts untrusted data and includes it in dynamically generated web content without validation or encoding. The CPE string (cpe:2.3:a:geovision_inc.:gv-lpc2011/lpc2211:*:*:*:*:*:*:*:*) confirms all versions are affected, with the description specifying firmware version 1.10. Reflected XSS differs from stored XSS in that the malicious payload is not persisted on the server but instead delivered through the attack vector itself (URL parameters in this case), requiring social engineering to deliver the crafted link to victims. The CVSS scope change metric (S:C) indicates the JavaScript executes in a context that can access resources beyond the vulnerable application itself, likely due to session tokens or cookies shared across GeoVision's web interface domains.
RemediationAI
Upgrade to patched firmware per GeoVision's security advisory at https://www.geovision.com.tw/cyber_security.php - the advisory should specify the fixed version, which is not independently confirmed in available CVE data. Until patching is complete, implement defense-in-depth controls: restrict web interface access to trusted management VLANs or VPN-only connections using firewall rules (blocks attack vector but impacts remote administration); disable the ssi.cgi endpoint if functionality is not operationally required (may break certain web interface features - test in non-production first); deploy web application firewall rules to detect and block common XSS patterns in URLs targeting the affected cameras, though this is bypassable with encoding techniques; enforce Content Security Policy headers via reverse proxy if cameras sit behind centralized management infrastructure (requires additional infrastructure). For cameras exposed to semi-trusted users (e.g., building security staff), implement security awareness training on recognizing malicious URLs and prohibit following links from untrusted sources when accessing camera interfaces. Monitor web server logs for unusual ssi.cgi requests with encoded JavaScript or event handlers. Note that XSS mitigations do not prevent exploitation if attackers achieve authenticated access through other means - this is strictly a perimeter defense strategy.
More in Gv Lpc2011 Lpc2211
View allPrivilege escalation in GeoVision LPC2011/LPC2211 1.10 web interface allows authenticated remote attackers to execute pr
Authenticated OS command injection in the DdnsSetting.cgi handler of GeoVision GV-LPC2011/LPC2211 license plate capture
Authentication bypass in GeoVision LPC2011/LPC2211 license plate camera firmware version 1.10 allows remote unauthentica
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 Web Interface enables remote attackers to execute arbitrary
Privilege escalation in GeoVision LPC2011/LPC2211 Web Interface allows authenticated attackers to leak stored credential
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26857