Home

Description

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /index.cgi endpoint of International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101. The application fails to adequately sanitize user-supplied input provided via the `cat` parameter before reflecting it in the HTTP response, allowing a remote attacker to execute arbitrary HTML or JavaScript in the victim's browser context.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-04 | Updated 2026-03-05 | Assigner Gridware




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

101
affected

Credits

Abdul Mhanni finder

References

www.abdulmhsblog.com/posts/sfx2100-vulns/

cve.org (CVE-2026-28771)

nvd.nist.gov (CVE-2026-28771)

Download JSON