CVE-2020-37148

Summary

P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html.

Affected Software

VendorProductVersion RangeStatus
P5FNIP-8x16A1.0.20affected
P5FNIP-8x16A1.0.11affected
P5FNIP-4xSH1.0.20affected
P5FNIP-4xSH1.0.11affected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References