Search criteria
2 vulnerabilities by FAST LTA
CVE-2025-2072 (GCVE-0-2025-2072)
Vulnerability from cvelistv5 – Published: 2025-03-31 08:34 – Updated: 2025-03-31 16:18
VLAI?
Title
Reflected Cross-Site Scripting (XSS) Vulnerability in FAST LTA Silent Brick WebUI
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability has been discovered in FAST LTA Silent Brick WebUI, allowing attackers to inject malicious JavaScript code into web pages viewed by users. This issue arises when user-supplied input is improperly handled and reflected directly in the output of a web page without proper sanitization or encoding. Exploiting this vulnerability, an attacker can execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, data theft, and other malicious actions. Affected WebUI parameters are "h", "hd", "p", "pi", "s", "t", "x", "y".
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FAST LTA | FAST LTA Silent Brick WebUI |
Affected:
WebUI Release 2.45 (Linux 5.4.109-gentoo-FAST) , < 2.63.04
(custom)
|
Credits
Stefan Mettler from CRYPTRON Security GmbH
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2072",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:16:46.834770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T16:18:32.084Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"Web User Interface"
],
"platforms": [
"Linux"
],
"product": "FAST LTA Silent Brick WebUI",
"vendor": "FAST LTA",
"versions": [
{
"lessThan": "2.63.04",
"status": "affected",
"version": "WebUI Release 2.45 (Linux 5.4.109-gentoo-FAST)",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stefan Mettler from CRYPTRON Security GmbH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A Reflected Cross-Site Scripting (XSS) vulnerability has been discovered in FAST LTA Silent Brick WebUI, allowing attackers to inject malicious JavaScript code into web pages viewed by users. This issue arises when user-supplied input is improperly handled and reflected directly in the output of a web page without proper sanitization or encoding. Exploiting this vulnerability, an attacker can execute arbitrary JavaScript in the context of the victim\u0027s browser, potentially leading to session hijacking, data theft, and other malicious actions. Affected WebUI parameters are \"h\", \"hd\", \"p\", \"pi\", \"s\", \"t\", \"x\", \"y\".\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A Reflected Cross-Site Scripting (XSS) vulnerability has been discovered in FAST LTA Silent Brick WebUI, allowing attackers to inject malicious JavaScript code into web pages viewed by users. This issue arises when user-supplied input is improperly handled and reflected directly in the output of a web page without proper sanitization or encoding. Exploiting this vulnerability, an attacker can execute arbitrary JavaScript in the context of the victim\u0027s browser, potentially leading to session hijacking, data theft, and other malicious actions. Affected WebUI parameters are \"h\", \"hd\", \"p\", \"pi\", \"s\", \"t\", \"x\", \"y\"."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T09:52:05.166Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.fast-lta.de/de/fast/silent-bricks-software-2-63"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vendor security patch available. Upgrade to release \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://software.fast-lta.com/fast-sb-update-2.63.0.4.tar\"\u003efast-sb-update-2.63.0.4.tar\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "A vendor security patch available. Upgrade to release fast-sb-update-2.63.0.4.tar https://software.fast-lta.com/fast-sb-update-2.63.0.4.tar"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-24T15:22:00.000Z",
"value": "vulnerability has been identified and reported to the vendor"
},
{
"lang": "en",
"time": "2025-01-16T08:30:00.000Z",
"value": "transmission of further technical information to the vendor"
},
{
"lang": "en",
"time": "2025-01-23T09:45:00.000Z",
"value": "vulnerability has been confirmed by the vendor and a patch is in progress"
},
{
"lang": "en",
"time": "2025-03-06T09:30:00.000Z",
"value": "Vendor patch available"
}
],
"title": "Reflected Cross-Site Scripting (XSS) Vulnerability in FAST LTA Silent Brick WebUI",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-2072",
"datePublished": "2025-03-31T08:34:14.205Z",
"dateReserved": "2025-03-06T18:18:50.024Z",
"dateUpdated": "2025-03-31T16:18:32.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2071 (GCVE-0-2025-2071)
Vulnerability from cvelistv5 – Published: 2025-03-31 08:33 – Updated: 2025-03-31 16:26
VLAI?
Title
OS Command Injection Vulnerability in FAST LTA Silent Brick WebUI
Summary
A critical OS Command Injection vulnerability has been identified in the FAST LTA Silent Brick WebUI, allowing remote attackers to execute arbitrary operating system commands via specially crafted input. This vulnerability arises due to improper handling of untrusted input, which is passed directly to system-level commands without adequate sanitization or validation. Successful exploitation could allow attackers to execute arbitrary commands on the affected system, potentially resulting in unauthorized access, data leakage, or full system compromise. Affected WebUI parameters are "hd" and "pi".
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FAST LTA | FAST LTA Silent Brick WebUI |
Affected:
WebUI Release 2.45 (Linux 5.4.109-gentoo-FAST) , < 2.63.04
(custom)
|
Credits
Stefan Mettler from CRYPTRON Security GmbH
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:26:19.132583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T16:26:54.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "FAST LTA Silent Brick WebUI",
"vendor": "FAST LTA",
"versions": [
{
"lessThan": "2.63.04",
"status": "affected",
"version": "WebUI Release 2.45 (Linux 5.4.109-gentoo-FAST)",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stefan Mettler from CRYPTRON Security GmbH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A critical OS Command Injection vulnerability has been identified in the FAST LTA Silent Brick WebUI, allowing remote attackers to execute arbitrary operating system commands via specially crafted input. This vulnerability arises due to improper handling of untrusted input, which is passed directly to system-level commands without adequate sanitization or validation. Successful exploitation could allow attackers to execute arbitrary commands on the affected system, potentially resulting in unauthorized access, data leakage, or full system compromise. Affected WebUI parameters are \"hd\" and \"pi\".\u003cbr\u003e"
}
],
"value": "A critical OS Command Injection vulnerability has been identified in the FAST LTA Silent Brick WebUI, allowing remote attackers to execute arbitrary operating system commands via specially crafted input. This vulnerability arises due to improper handling of untrusted input, which is passed directly to system-level commands without adequate sanitization or validation. Successful exploitation could allow attackers to execute arbitrary commands on the affected system, potentially resulting in unauthorized access, data leakage, or full system compromise. Affected WebUI parameters are \"hd\" and \"pi\"."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T08:33:53.271Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.fast-lta.de/de/fast/silent-bricks-software-2-63"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAvoid using external processes: Whenever possible, use library calls instead of invoking external processes to recreate desired functionality.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eA vendor security patch available. Upgrade to release\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://software.fast-lta.com/fast-sb-update-2.63.0.4.tar\"\u003efast-sb-update-2.63.0.4.tar \u003c/a\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Avoid using external processes: Whenever possible, use library calls instead of invoking external processes to recreate desired functionality.\n\nA vendor security patch available. Upgrade to release\u00a0 fast-sb-update-2.63.0.4.tar https://software.fast-lta.com/fast-sb-update-2.63.0.4.tar"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-24T15:22:00.000Z",
"value": "vulnerability has been identified and reported to the vendor"
},
{
"lang": "en",
"time": "2025-01-16T08:30:00.000Z",
"value": "transmission of further technical information to the vendor"
},
{
"lang": "en",
"time": "2025-01-23T09:45:00.000Z",
"value": "vulnerability has been confirmed by the vendor and a patch is in progress"
},
{
"lang": "en",
"time": "2025-03-06T10:30:00.000Z",
"value": "Vendor patch available"
}
],
"title": "OS Command Injection Vulnerability in FAST LTA Silent Brick WebUI",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-2071",
"datePublished": "2025-03-31T08:33:53.271Z",
"dateReserved": "2025-03-06T18:18:48.091Z",
"dateUpdated": "2025-03-31T16:26:54.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}