CVE-2019-10846

MEDIUM

Computrols CBAS < 19.0.0 - Unauthenticated Reflected Cross-Site Scripting via Username Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10846. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in Computrols CBAS-Web 19.0.0 by injecting malicious scripts into the 'username' parameter via POST and GET requests. The PoC includes payloads that trigger JavaScript execution and HTML injection.

Description

Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scripting vulnerabilities in the login page and password reset page via the username GET parameter.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappshardware
https://www.exploit-db.com/exploits/47614

This exploit demonstrates a reflected XSS vulnerability in Computrols CBAS-Web 19.0.0 by injecting malicious scripts into the 'username' parameter via POST and GET requests. The PoC includes payloads that trigger JavaScript execution and HTML injection.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Computrols CBAS-Web 19.0.0
No auth needed
Prerequisites: Access to the target web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://applied-risk.com/labs/advisories

Scores

CVSS v3 6.1
EPSS 0.0466
EPSS Percentile 90.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
computrols/computrols_building_automation_system < 19.0.0
Published May 23, 2019
Tracked Since Feb 18, 2026