CVE-2018-25131

Summary

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a stored cross-site scripting vulnerability in the configuration file upload functionality. Attackers can upload a malicious HTML file to that executes arbitrary JavaScript in a user's browser session when viewed.

Affected Software

VendorProductVersion RangeStatus
Leica Geosystems AGGR10/GR25/GR30/GR50 GNSS4.30.063affected
Leica Geosystems AGGR10/GR25/GR30/GR50 GNSS4.20.232affected
Leica Geosystems AGGR10/GR25/GR30/GR50 GNSS4.11.606affected
Leica Geosystems AGGR10/GR25/GR30/GR50 GNSS3.22.1818affected
Leica Geosystems AGGR10/GR25/GR30/GR50 GNSS3.10.1633affected
Leica Geosystems AGGR10/GR25/GR30/GR50 GNSS2.62.782affected
Leica Geosystems AGGR10/GR25/GR30/GR50 GNSS1.00.395affected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References