CVE-2020-37148

LOW

P5 FNIP-8x16A/FNIP-4xSH <1.0.20, 1.0.11 - XSS

Title source: llm

Description

P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/48362

View Code ZIP pw:eip

References (6)

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/176993

[Exploit, Third Party Advisory] https://packetstormsecurity.com/files/156170/P5-FNIP-8x16A-FNIP-4xSH-1.0.20-CSRF-XSS.html

[Various Sources] https://www.p5.hu/

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/48362

[Third Party Advisory] https://www.vulncheck.com/advisories/p-fnip-xafnip-xsh-stored-cross-site-scripting-xss

Scores

CVSS v3 3.5

EPSS 0.0004

EPSS Percentile 12.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Classification

CWE

CWE-79

Status draft

Timeline

Published Feb 05, 2026

Tracked Since Feb 18, 2026