Skip to main content

AllStarLink Supermon CVE-2025-11278

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-10-05 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:51 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in AllStarLink Supermon up to 6.2. This vulnerability affects unknown code of the component AllMon2. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Cross-site scripting (XSS) vulnerability in AllStarLink Supermon up to version 6.2 component AllMon2 allows remote attackers to inject malicious scripts via unknown vectors, with user interaction required. The vulnerability affects end-of-life products no longer receiving vendor support, and publicly available exploit code exists; however, EPSS exploitation probability is minimal at 0.02%, indicating limited real-world attack likelihood despite public disclosure.

Technical ContextAI

AllStarLink Supermon is a web-based monitoring interface for AllStarLink repeater networks. The vulnerability exists in the AllMon2 component, which handles web interface rendering. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating insufficient input validation or output encoding in the web application. The affected code path remains unspecified in available documentation, suggesting the vulnerability may involve multiple potential injection points in the AllMon2 web interface. CVSS 4.0 vector AV:N/AC:L/PR:N/UI:P indicates network-accessible XSS requiring only user interaction as a limiting factor.

Affected ProductsAI

AllStarLink Supermon versions up to and including 6.2 are affected. The vulnerability specifically impacts the AllMon2 component. CPE strings are not formally documented in referenced sources. The product is end-of-life and no longer receives maintenance from the vendor. No patch or updated version is available from the maintainer.

RemediationAI

No vendor-released patch is available for affected versions due to end-of-life status and non-responsive vendor. Organizations running Supermon 6.2 or earlier should immediately discontinue use and migrate to alternative monitoring solutions. If legacy Supermon deployments must remain operational, implement network-level mitigations: restrict AllMon2 web interface access via firewall rules to trusted administrator IP addresses only, deploy a reverse proxy with XSS filtering (e.g., mod_security or application firewall rules blocking script injection patterns), disable or remove the AllMon2 component if unused, and enforce Content Security Policy (CSP) headers (if web server permits) to prevent inline script execution. Monitor web server access logs for suspicious parameters targeting AllMon2 endpoints. These compensating controls reduce likelihood of exploitation but do not eliminate the underlying vulnerability.

Share

CVE-2025-11278 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy