The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges.
The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.