CVE-2020-36905

Jan. 6, 2026, 4:15 p.m.

5.1
Medium

Description

FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user sessions or manipulate page content.

Product(s) Impacted

Vendor Product Versions
Fibaro
  • Fibaro System Home Center
  • 5.021

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-829
Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a fibaro fibaro_system_home_center 5.021 / / / / / / /

References

https://cxsecurity.com/issue/WLB-2020030140
https://exchange.xforce.ibmcloud.com/vulnerabilities/178269
https://packetstorm.news/files/id/156869
https://www.exploit-db.com/exploits/48240
https://www.fibaro.com
https://www.vulncheck.com/advisories/fibaro-system-home-center-remote-file-inclusion-via-proxy-api
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5563.php

Tags

[email protected]
CWE-829
2026-01-06
CVE-2020-36905

CVSS Score

5.1 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: ACTIVE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Jan. 6, 2026, 4:15 p.m.
Last Modified: Jan. 6, 2026, 4:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.