CVE-2020-8839

MEDIUM

CHIYU BF-430 Firmware < 1.16.00 - Stored Cross-Site Scripting via TF_submask Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-8839. PoCs published by Luca.Chiou.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in CHIYU BF430 TCP/IP Converter by injecting malicious JavaScript into the 'TF_submask' parameter via the /if.cgi endpoint. The payload is stored in the device's database and executed when accessed.

Description

Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converter devices before 1.16.00, as demonstrated by the /if.cgi TF_submask field.

Exploits (1)

exploitdb WORKING POC

by Luca.Chiou · textwebappscgi

https://www.exploit-db.com/exploits/48040

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in CHIYU BF430 TCP/IP Converter by injecting malicious JavaScript into the 'TF_submask' parameter via the /if.cgi endpoint. The payload is stored in the device's database and executed when accessed.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: CHIYU BF430 232/485 TCP/IP Converter (versions prior to 1.16.00)

No auth needed

Prerequisites: network access to the target device · knowledge of the target IP address

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://drive.google.com/open?id=1eDN0rsGPs4-yxeMxl7MGh__yjdbl-wON

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/156289/CHIYU-BF430-TCP-IP-Converter-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0207

EPSS Percentile 79.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

chiyu-t/bf-430_firmware < 1.16.00

Published Feb 12, 2020

Tracked Since Feb 18, 2026