Home

Description

P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html.

PUBLISHED Reserved 2026-02-03 | Published 2026-02-05 | Updated 2026-02-05 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

Product status

1.0.20
affected

1.0.11
affected

Credits

Gjoko 'LiquidWorm' Krstic (@zeroscience) finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php (Zero Science Lab Disclosure (ZSL-2020-5564)) technical-description exploit

www.exploit-db.com/exploits/48362 (ExploitDB-48362) exploit

packetstormsecurity.com/...6A-FNIP-4xSH-1.0.20-CSRF-XSS.html (Packet Storm Entry) exploit

exchange.xforce.ibmcloud.com/vulnerabilities/176993 (IBM X-Force Vulnerability Report) third-party-advisory

www.p5.hu/ (P5 Vendor Homepage) product

www.vulncheck.com/...nip-xsh-stored-cross-site-scripting-xss (VulnCheck Advisory: P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 - Stored Cross-Site Scripting (XSS)) third-party-advisory

cve.org (CVE-2020-37148)

nvd.nist.gov (CVE-2020-37148)

Download JSON