Axis Network Cameras are prone to multiple (stored/reflected) cross-site scripting vulnerability. Attack vectors allow you to execute an arbitrary javascript code in the user browser (session) with this steps: Attacker injects a javascript payload in the vulnerable page: http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script type="text/javascript>prompt("AXIS_PASSWORD:")</script> This will create a entry in the genneral log file (/var/log/messages) So, when the user is viewing the log 'system options' -> 'support' -> 'Logs & Reports': http://{axishost}/axis-cgi/admin/systemlog.cgi?id will be displayed a prompt for the password of the current user ('AXIS_PASSWORD'). However, due to CSRF presented is even possible to perfor the attack without the user interaction.