Having run OpenVAS security scanner on my network recently, there have been multiple findings reported against port 5000 for wyze bridge.
This first finding seems valid:
Summary
The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
Detection Result
The cookies:
Set-Cookie: number_of_columns=***replaced***; Path=/
Set-Cookie: refresh_period=***replaced***; Path=/
Set-Cookie: show_video=; Path=/
Set-Cookie: video=***replaced***; Path=/
Set-Cookie: fullscreen=; Path=/
are missing the "HttpOnly" attribute.
Insight
The flaw exists if a session cookie is not using the 'HttpOnly'
cookie attribute.
This allows a cookie to be accessed by JavaScript which could lead to session hijacking
attacks.
Detection Method
Checks all cookies sent by the remote HTTP web server /
application for a missing 'HttpOnly' cookie attribute.
Any web application with session handling in cookies.
Solution
Solution Type:
Mitigation
Summary
The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
Detection Result
The cookies:
Set-Cookie: number_of_columns=***replaced***; Path=/
Set-Cookie: refresh_period=***replaced***; Path=/
Set-Cookie: show_video=; Path=/
Set-Cookie: video=***replaced***; Path=/
Set-Cookie: fullscreen=; Path=/
are missing the "HttpOnly" attribute.
Insight
The flaw exists if a session cookie is not using the 'HttpOnly'
cookie attribute.
This allows a cookie to be accessed by JavaScript which could lead to session hijacking
attacks.
Detection Method
Checks all cookies sent by the remote HTTP web server /
application for a missing 'HttpOnly' cookie attribute.
Details:
[Missing 'HttpOnly' Cookie Attribute (HTTP) OID: 1.3.6.1.4.1.25623.1.0.105925](http://192.168.2.17:9392/nvt/1.3.6.1.4.1.25623.1.0.105925)
Version used:
2023-01-11T10:12:37Z
Affected Software/OS
Any web application with session handling in cookies.
Solution
Solution Type:
Mitigation
### **Other False Positive Findings**
_The other findings seem to be related to the fact that the /api endpoint responds to the detections used, making it think there is a solution in place.
One simple way to avoid these detections (if desired) would be to filter out (return 404) any URL containing ".php", or restricting to only 2 levels deep (or as needed).
These are not legit findings, but do generate noise for people running security tools, so smaller impact._
------
The remote web server is running phpWebLog, a news and content management
system written in PHP that is prone to several flaws, including possibly arbitrary code execution.
Detection Result
Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/search.php?query=we+%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&topic=0&limit=30
------
CompactCMS is prone to multiple cross-site scripting (XSS)
vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Detection Result
Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/afdrukken.php?page=%22%3E%3Cscript%3Ealert(%27openvasvt%27)%3C/script%3E
------
Community Server is prone to a cross-site scripting (XSS)
vulnerability because it fails to sufficiently sanitize user-supplied data.
Detection Result
Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/utility/TagSelector.aspx?TagEditor=%27)%3C/script%3E%3Cscript%3Ealert(%27openvasvt%27)%3C/script%3E
------
Softbiz Classifieds Script is prone to multiple cross-site scripting
vulnerabilities because it fails to sufficiently sanitize
user-supplied data.
An attacker may leverage these issues to execute arbitrary script
code in the browser of an unsuspecting user in the context of the
affected site. This may allow the attacker to steal cookie-based
authentication credentials and to launch other attacks.
Detection Result
Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/showcategory.php?cid=9type=1&keyword=Pouya&radio=%3E%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
The remote web server contains a PHP script which is vulnerable to a
cross site scripting and SQL injection issue.
------
Description :
Basit cms 1.0 has a cross site scripting bug. An attacker may use it to
perform a cross site scripting attack on this host.
In addition to this, it is vulnerable to a SQL insertion
attack which may allow an attacker to get the control
of your database.
Detection Result
Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/modules/Submit/index.php?op=pre&title=
The remote web server contains several PHP scripts that are prone to
cross-site scripting attacks.
------
Description :
The remote host runs Zeroboard, a web BBS application popular in
Korea.
The remote version of this software is vulnerable to cross-site
scripting attacks due to a lack of sanitization of user-supplied data.
Successful exploitation of this issue may allow an attacker to execute
malicious script code in a user's browser within the context of the
affected web site.
Detection Result
Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/zboard.php?id=gallery&sn1=ALBANIAN%20RULEZ='%3E%3Cscript%3Efoo%3C/script%3E
------
There are half a dozen other findings like this.
Having run OpenVAS security scanner on my network recently, there have been multiple findings reported against port 5000 for wyze bridge.
This first finding seems valid:
Summary
Detection Result
Insight
Detection Method
Affected Software/OS
Solution