Cp Unr 108F1 System
Monthly
Stored cross-site scripting in CP Plus 1xxx series Network Video Recorder (NVR) devices, specifically the CP-UNR-108F1 hardware/web/system components, allows authenticated high-privileged attackers to inject persistent JavaScript payloads into backend storage that execute in administrators' browsers on page load. With CVSS 8.4 and a Scope:Changed vector, successful exploitation enables session hijacking, unauthorized administrative actions against the video surveillance device, and theft of footage or credentials. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored cross-site scripting in CP Plus 1xxx series Network Video Recorder (NVR) devices, specifically the CP-UNR-108F1 hardware/web/system components, allows authenticated high-privileged attackers to inject persistent JavaScript payloads into backend storage that execute in administrators' browsers on page load. With CVSS 8.4 and a Scope:Changed vector, successful exploitation enables session hijacking, unauthorized administrative actions against the video surveillance device, and theft of footage or credentials. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.