Home

Description

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Location field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.

PUBLISHED Reserved 2026-03-04 | Published 2026-03-16 | Updated 2026-03-17 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

Product status

Default status
unknown

Any version
affected

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. finder

References

web.archive.org/web/20250820105319/http://hereta.com/ product

www.vulncheck.com/...-imc408m-stored-xss-via-device-location third-party-advisory

cve.org (CVE-2026-29513)

nvd.nist.gov (CVE-2026-29513)

Download JSON