Description
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Location field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.
References (2)
Core 2
Core References
Product product
https://web.archive.org/web/20250820105319/http://hereta.com/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/hereta-eth-imc408m-stored-xss-via-device-location
Scores
CVSS v3
5.4
EPSS
0.0014
EPSS Percentile
3.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
hereta/eth-imc408m_firmware
< 1.0.15
Shenzhen Hereta Technology Co., Ltd./Hereta ETH-IMC408M
< 1.0.15
Published
Mar 16, 2026
Tracked Since
Mar 16, 2026