CVE-2020-14413

Name of the Vulnerable Software and Affected Versions NeDi version 1.9C

Description The issue arises from an incorrect implementation of the sanitize() function in inc/libmisc.php, which attempts to escape the SCRIPT tag from user-controllable values but can be bypassed. This can be demonstrated using an onerror attribute of an IMG element as a Devices-Config.php?sta= value.

Recommendations For NeDi version 1.9C, consider disabling the sanitize() function in inc/libmisc.php until a proper fix is implemented to prevent XSS attacks. Restrict access to Devices-Config.php to minimize the risk of exploitation. Avoid using user-controllable values in the sta parameter of Devices-Config.php until the issue is resolved.