GHSA-M56G-XX45-238C

Vulnerability from github – Published: 2025-01-15 12:30 – Updated: 2025-01-15 12:30
VLAI?
Details

A stored Cross-site Scripting (XSS) vulnerability exists in the MGate 5121/5122/5123 Series firmware version v1.0 because of insufficient sanitization and encoding of user input in the "Login Message" functionality. An authenticated attacker with administrative access can exploit this vulnerability to inject malicious scripts that are continuously stored on the device. These scripts are executed when other users access the login page, potentially resulting in unauthorized actions or other impacts, depending on the user's privileges.

Severity ?
5.2 (Medium)
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-0193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-15T11:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A stored Cross-site Scripting (XSS) vulnerability exists in the MGate 5121/5122/5123 Series firmware version v1.0 because of insufficient sanitization and encoding of user input in the \"Login Message\" functionality. An authenticated attacker with administrative access can exploit this vulnerability to inject malicious scripts that are\u00a0continuously stored on the device. These scripts are executed when other users access the login page, potentially resulting in unauthorized actions\u00a0or other impacts,\u00a0depending on the user\u0027s privileges.",
  "id": "GHSA-m56g-xx45-238c",
  "modified": "2025-01-15T12:30:45Z",
  "published": "2025-01-15T12:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0193"
    },
    {
      "type": "WEB",
      "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-247733-cve-2025-0193-stored-cross-site-scripting-(xss)-vulnerability-in-the-mgate-5121-5122-5123-series"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.