CVE-2022-37063

low-risk
Published 2022-08-18

All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Cross Site Scripting (XSS) due to improper input sanitization. An authenticated remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16.

Do I need to act?

-
0.35% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Flir

References (6)

Broken Link http://packetstormsecurity.com/files/168116/FLIR-AX8-1.46.16-Traversal-Access-Co...
Exploit https://gist.github.com/Nwqda/9e16852ab7827dc62b8e44d6180a6899
Product https://www.flir.com/products/ax8-automation/
Broken Link http://packetstormsecurity.com/files/168116/FLIR-AX8-1.46.16-Traversal-Access-Co...
Exploit https://gist.github.com/Nwqda/9e16852ab7827dc62b8e44d6180a6899
Product https://www.flir.com/products/ax8-automation/
27
/ 100
low-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal