Back

CVE-2022-42974

June 21, 2024, 10:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Kostal PIKO 1.5-1 MP plus HMI OEM p

  • 1.0.1

Source

cve@mitre.org

Tags

cve@mitre.org
2024-06-21
CVE-2022-42974

CVE-2022-42974 details

Published : June 21, 2024, 10:15 p.m.
Last Modified : June 21, 2024, 10:15 p.m.

Description

In Kostal PIKO 1.5-1 MP plus HMI OEM p 1.0.1, the web application for the Solar Panel is vulnerable to a Stored Cross-Site Scripting (XSS) attack on /file.bootloader.upload.html. The application fails to sanitize the parameter filename, in a POST request to /file.bootloader.upload.html for a system update, thus allowing one to inject HTML and/or JavaScript on the page that will then be processed and stored by the application. Any subsequent requests to pages that retrieve the malicious content will automatically exploit the vulnerability on the victim's browser. This also happens because the tag is loaded in the function innerHTML in the page HTML.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description

References

URL Source
https://medium.com/%40daviddepaulasantos/how-we-got-a-cve-for-a-dom-based-stored-xss-on-a-solar-panel-917b9d7b2545 cve@mitre.org
This website uses the NVD API, but is not approved or certified by it.