CVE-2022-33322
MEDIUMMitsubishi Electric Consumer Electronics Firmware - Unauthenticated Cross-Site Scripting
Title source: llmDescription
Cross-site scripting vulnerability in Mitsubishi Electric consumer electronics products (Air Conditioning, Wi-Fi Interface, Refrigerator, HEMS adapter, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch and Air Purifier) allows a remote unauthenticated attacker to execute an malicious script on a user's browser to disclose information, etc. The wide range of models/versions of Mitsubishi Electric consumer electronics products are affected by this vulnerability. As for the affected product models/versions, see the Mitsubishi Electric's advisory which is listed in [References] section.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry government-resource
https://jvn.jp/vu/JVNVU96767562/index.html
Mitigation, Vendor Advisory vendor-advisory
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-011_en.pdf
Mitigation, Vendor Advisory vendor-advisory
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2022-011.pdf
Scores
CVSS v3
6.1
EPSS
0.0149
EPSS Percentile
81.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (50)
mitsubishielectric/ma-ew85s-e_firmware
< 80.00
mitsubishielectric/ma-ew85s-uk_firmware
< 80.00
mitsubishielectric/mac-507if-e_firmware
< 35.00
mitsubishielectric/mac-587if-e_firmware
< 35.00
mitsubishielectric/mac-587if2-e_firmware
< 35.00
mitsubishielectric/mac-588if-e_firmware
< 35.00
mitsubishielectric/mfz-gxt50\/60\/73vfk_firmware
< 35.00
mitsubishielectric/mfz-xt50\/60vfk_firmware
< 35.00
mitsubishielectric/msxy-fp05\/07\/10\/13\/18\/20\/24vgk-sg1_firmware
< 35.00
mitsubishielectric/msy-gp10\/13\/15\/18\/20\/24vfk-sg1_firmware
< 35.00
... and 40 more
Published
Nov 08, 2022
Tracked Since
Feb 18, 2026