Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the ping_ipaddr parameter to compromise authenticated administrator sessions when the links are visited.
AnalysisAI
Reflected XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables attackers to inject malicious scripts through the Network Diagnosis ping function's ping_ipaddr parameter. An attacker can craft a malicious link that, when clicked by an authenticated administrator, executes arbitrary JavaScript in their browser session, potentially compromising the device. No patch is currently available.
Technical ContextAI
Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.
RemediationAI
Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.
More in Eth Imc408M Firmware
View allStored XSS in Hereta ETH-IMC408M firmware v1.0.15 and earlier allows authenticated users to execute arbitrary JavaScript
Stored XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables authenticated attackers to execute arbitra
Hereta ETH-IMC408M devices running firmware 1.0.15 and earlier are vulnerable to cross-site request forgery attacks that
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12462