CVE-2024-0554

CVSS v3.1

5.5

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions WIC1200 version 1.1

Description A Cross-site scripting (XSS) vulnerability has been found, allowing an authenticated user to store a malicious javascript payload in the device model parameter via "/setup/diags ir learn.asp". This enables the attacker to retrieve the session details of another user.

Recommendations For version 1.1, consider disabling access to the "/setup/diags ir learn.asp" endpoint until a patch is available. Restrict the ability to store data in the device model parameter to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2024-0554

Affected Products

Wic1200

CVE-2024-0554

Weakness Enumeration

Related Identifiers

Affected Products

References · 6