CVE-2020-37148
5.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Summary
P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| P5 | FNIP-8x16A | 1.0.20 | affected |
| P5 | FNIP-8x16A | 1.0.11 | affected |
| P5 | FNIP-4xSH | 1.0.20 | affected |
| P5 | FNIP-4xSH | 1.0.11 | affected |
Weaknesses
- CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php
- https://www.exploit-db.com/exploits/48362
- https://packetstormsecurity.com/files/156170/P5-FNIP-8x16A-FNIP-4xSH-1.0.20-CSRF-XSS.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/176993
- https://www.p5.hu/
- https://www.vulncheck.com/advisories/p-fnip-xafnip-xsh-stored-cross-site-scripting-xss
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.