PT-2025-23622 · Unicom · Unicom Focal Point
Ianis Bernard
·
Published
2025-06-03
·
Updated
2025-06-03
·
CVE-2025-43924
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Unicom Focal Point version 7.6.1
Description
A Cross Site Scripting issue was found. The
val parameter in SettingController for the "/fp/admin/settings/loginpage" endpoint and the rootserviceurl parameter in FriendsController for the "/fp/admin/settings/friends" endpoint are vulnerable to stored XSS attacks when entered by an admin.Recommendations
For Unicom Focal Point version 7.6.1, consider disabling the
val parameter in SettingController and the rootserviceurl parameter in FriendsController as a temporary workaround until a patch is available. Restrict access to the "/fp/admin/settings/loginpage" and "/fp/admin/settings/friends" endpoints to minimize the risk of exploitation. Avoid using the val and rootserviceurl parameters in the affected API endpoints until the issue is resolved.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Unicom Focal Point