CVE-2024-43687

MEDIUM

Microchip TimeProvider 4100 Firmware 1.0-2.4.6 - Stored Cross-Site Scripting in Banner Config Modules

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-43687. PoCs published by Armando Huesca Prida.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Microchip TimeProvider 4100 Grandmaster's banner configuration module. The PoC provides an HTTP request template to inject malicious JavaScript payloads into the custom banner field, which executes when victims access the web interface.

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimeProvider 4100 (banner config modules) allows Cross-Site Scripting (XSS).This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Exploits (1)

exploitdb WORKING POC
by Armando Huesca Prida · remotehardware
https://www.exploit-db.com/exploits/52120

This exploit demonstrates a stored XSS vulnerability in Microchip TimeProvider 4100 Grandmaster's banner configuration module. The PoC provides an HTTP request template to inject malicious JavaScript payloads into the custom banner field, which executes when victims access the web interface.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Microchip TimeProvider 4100 Grandmaster (Firmware 1.0 through 2.4.7)
Auth required
Prerequisites: Valid session cookie · Access to the device's web management interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.0076
EPSS Percentile 50.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
microchip/timeprovider_4100_firmware 1.0 - 2.4.7
Published Oct 04, 2024
Tracked Since Feb 18, 2026