F. Koroknai

**Name of the Vulnerable Software and Affected Versions** versions prior to the fix for CVE-2025-41752 **Description** An XSS vulnerability exists in the `pxc portSfp.php` file. An unauthenticated remote attacker can exploit this to trick an authenticated user into clicking a malicious link, potentially altering device configuration parameters accessible through the web-based management interface (WBM). The vulnerability does not grant access to system-level resources or privileged functions. The session cookie is protected by the httpOnly flag, preventing session hijacking. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions prior to 2025-41745 **Description** An XSS issue exists in the `pxc portCntr2.php` file. An unauthenticated remote attacker can manipulate an authenticated user into sending a crafted POST request to the device, potentially altering parameters accessible through the web-based management interface (WBM). The vulnerability’s impact is limited to device configuration parameters within the web application’s scope and does not grant access to system-level resources or privileged functions. The session cookie is protected by the httpOnly flag, preventing session hijacking. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pxc portSecCfg.php (affected versions not specified) **Description** An XSS vulnerability exists in the pxc portSecCfg.php file. An unauthenticated remote attacker can exploit this to manipulate an authenticated user into sending a crafted POST request to the device. This allows modification of parameters accessible through the web-based management interface (WBM). The vulnerability’s impact is limited to device configuration parameters within the web application’s context and does not grant access to system-level resources or privileged functions. The session cookie is protected by the httpOnly flag, preventing session hijacking. The vulnerable file is `pxc portSecCfg.php`. The attack involves manipulating a POST request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pxc vlanIntfCfg.php (affected versions not specified) **Description** An XSS issue exists in `pxc vlanIntfCfg.php`. An unauthenticated remote attacker can manipulate an authenticated user into sending a crafted POST request to the device, potentially altering parameters accessible through the web-based management interface (WBM). The vulnerability’s impact is limited to device configuration parameters within the web application’s context and does not grant access to system-level resources or privileged functions. The session cookie is protected by the httpOnly flag, preventing session hijacking. The vulnerable file is `pxc vlanIntfCfg.php` and the attack involves manipulating a POST request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pxc Dot1xCfg.php (affected versions not specified) **Description** An XSS issue exists in pxc Dot1xCfg.php that allows an unauthenticated remote attacker to potentially manipulate an authenticated user into clicking a malicious link. This could lead to changes in device configuration parameters accessible through the web-based management interface (WBM). The vulnerability does not grant access to system-level resources or privileged functions. The session cookie is protected by the httpOnly flag, preventing session hijacking. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** port util.php (affected versions not specified) **Description** An XSS issue exists in the `port util.php` file. An unauthenticated remote attacker can potentially trick an authenticated user into clicking a malicious link, allowing the attacker to modify device configuration parameters accessible through the web-based management interface (WBM). The session cookie is protected by the httpOnly flag, preventing session hijacking. The issue does not grant access to system-level resources or privileged functions. The attack involves manipulating parameters available via the web interface. The API endpoint involved is not specified. The vulnerable parameter is not specified. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pxc PortCfg.php (affected versions not specified) **Description** An XSS issue exists in the pxc PortCfg.php file. An unauthenticated remote attacker can potentially trick an authenticated user into clicking a malicious link, allowing the attacker to modify device configuration parameters accessible through the web-based management interface. The vulnerability does not grant access to system-level resources or privileged functions. The session cookie is protected by the httpOnly flag, preventing session hijacking. The attack requires a user to click a link provided by the attacker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ImageIO (affected versions not specified) **Description** An issue exists in ImageIO that could allow for arbitrary code execution through maliciously crafted images. This issue was actively exploited. The vulnerability does not provide access to system-level resources or privileged functions, but allows execution of code via images. An estimated number of affected devices is not available. The session cookie is secured by the httpOnly Flag. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.