CVE-2020-37148

LOW

P5 FNIP-8x16A/FNIP-4xSH <1.0.20, 1.0.11 - XSS

Title source: llm

Description

P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/48362

View Code ZIP pw:eip

References (6)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/48362

[Exploit, Third Party Advisory] https://packetstormsecurity.com/files/156170/P5-FNIP-8x16A-FNIP-4xSH-1.0.20-CSRF-XSS.html

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/176993

[Various Sources] https://www.p5.hu/

[Third Party Advisory] https://www.vulncheck.com/advisories/p-fnip-xafnip-xsh-stored-cross-site-scripting-xss

Scores

CVSS v3 3.5

EPSS 0.0002

EPSS Percentile 3.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

P5/FNIP-8x16A 1.0.11

P5/FNIP-8x16A 1.0.20

Published Feb 05, 2026

Tracked Since Feb 18, 2026