CVE-2019-10887

Name of the Vulnerable Software and Affected Versions Salicru SLC-20-cube3(5) devices running firmware version cs121-SNMP v4.54.82.130611

Description A reflected HTML injection issue allows remote attackers to inject arbitrary HTML elements via specific API endpoints, including /DataLog.csv?log=, /AlarmLog.csv?log=, /waitlog.cgi?name=, /chart.shtml?data=, or /createlog.cgi?name= requests.

Recommendations For Salicru SLC-20-cube3(5) devices running firmware version cs121-SNMP v4.54.82.130611, consider restricting access to the vulnerable API endpoints, such as /DataLog.csv?log=, /AlarmLog.csv?log=, /waitlog.cgi?name=, /chart.shtml?data=, and /createlog.cgi?name=, until a patch is available. Avoid using these endpoints with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.