Multiple cross-site scripting (XSS) vulnerabilities in Mobotix IP Network Cameras M1 22.214.171.124 and M10 126.96.36.199, and other versions before 188.8.131.52 for M10/D10 and 184.108.40.206 for M22, allow remote attackers to inject arbitrary web script or HTML via URL-encoded values in (1) the query string to help/help, (2) the get_image_info_abspath parameter to control/eventplayer, and (3) the source_ip parameter to events.tar. Vendor Provided Solution Statement:
According the vendor, MOBOTIX "has resolved this problem as of 2006-06-27. MOBOTIX AG provides new software versions that include a security patch that prevents cross site scripting flaws. Customers are encouraged to upgrade to at least software version - V220.127.116.11 (for camera models M10/D10) and - V18.104.22.168 (for camera model M22) or higher (if available). The software is available for download from our website http://www.mobotix.com/services/software_downloads"