Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page.
AnalysisAI
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 Web Interface enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs targeting the ssi.cgi error handler. The vulnerability chains through social engineering (requires user interaction) but achieves high confidentiality impact through changed scope (S:C), allowing session hijacking and credential theft from authenticated administrators. EPSS data not provided; no CISA KEV listing indicates this is not yet confirmed as actively exploited in the wild. Publicly available exploit code status unknown but detailed technical disclosure exists from Cisco Talos Intelligence.
Technical ContextAI
The vulnerability affects the ssi.cgi component of GeoVision's LPC2011/LPC2211 IP camera firmware version 1.10, specifically in error message handling for non-existing page requests. This is a classic reflected XSS (CWE-79) where user-supplied input in URLs is echoed back in HTTP error responses without proper sanitization or output encoding. The web interface fails to validate or escape parameters before reflecting them in HTML context, allowing injection of <script> tags or event handlers. The CPE string (cpe:2.3:a:geovision_inc.:gv-lpc2011/lpc2211:*:*:*:*:*:*:*:*) identifies this as an application-layer vulnerability in GeoVision's physical security camera platform used for access control and surveillance in corporate and institutional environments. The changed scope (S:C) in the CVSS vector indicates the vulnerable component (web interface) can affect resources beyond its security scope, typically meaning JavaScript execution can access authentication tokens or session data for privileged administrative functions.
RemediationAI
Apply vendor-supplied firmware update from GeoVision's cyber security advisory page (https://www.geovision.com.tw/cyber_security.php) - specific patched firmware version not provided in available data but should be confirmed directly from the advisory. Until patching is complete, implement network-level compensating controls: restrict web interface access to dedicated management VLANs with firewall rules blocking internet-facing access (effectiveness: high, trade-off: requires network segmentation capability); configure reverse proxy with Web Application Firewall rules to sanitize URL parameters and block JavaScript injection patterns in ssi.cgi requests (effectiveness: medium-high, trade-off: adds latency and complexity); deploy security awareness training specifically warning administrators against clicking links to camera management interfaces from untrusted sources like email or messaging apps (effectiveness: low-medium, trade-off: relies on human behavior). For high-security deployments, consider temporary disabling of web-based management in favor of serial console or dedicated management appliances until patch deployment is verified. Note that network isolation is the most reliable mitigation given the changed scope impact - preventing untrusted network access eliminates the AV:N attack vector entirely.
More in Gv Lpc2011 Lpc2211
View allPrivilege escalation in GeoVision LPC2011/LPC2211 1.10 web interface allows authenticated remote attackers to execute pr
Authenticated OS command injection in the DdnsSetting.cgi handler of GeoVision GV-LPC2011/LPC2211 license plate capture
Authentication bypass in GeoVision LPC2011/LPC2211 license plate camera firmware version 1.10 allows remote unauthentica
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 1.10 web interface (ssi.cgi) allows remote unauthenticated a
Privilege escalation in GeoVision LPC2011/LPC2211 Web Interface allows authenticated attackers to leak stored credential
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26863