CVE-2020-22158

Name of the Vulnerable Software and Affected Versions MediaKind (formerly Ericsson) RX8200 version 5.13.3

Description The issue allows for both reflected and stored Cross-Site Scripting (XSS) attacks. An attacker can exploit reflected XSS by injecting JavaScript code into the path or Services+ID parameters and tricking a user into accessing the manipulated URL. For stored XSS, an attacker must modify the name parameter with malicious code to store the exploit on the server, which can then affect other users.

Recommendations For MediaKind (formerly Ericsson) RX8200 version 5.13.3, as a temporary workaround, consider restricting access to the path and Services+ID parameters in the affected API endpoint, and avoid using the name parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.