Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible XSS via CSRF; low-privilege attacker account required (PR:L); scope changes to victim browser (S:C); no availability impact on server or browser session.
Primary rating from Vendor (Microchip).
CVSS VectorVendor: Microchip
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip GridTime 3000 allows Cross-Site Scripting (XSS).
This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0.
AnalysisAI
Cross-site scripting in Microchip GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) permits authenticated low-privilege attackers to inject and execute malicious scripts in the browser sessions of higher-privileged users via a CSRF-to-XSS attack chain. The CVSS 4.0 Threat metric E:A signals active exploitation has been reported by the vendor, elevating urgency beyond what the 5.1 base score alone implies. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker possesses a valid low-privilege authenticated account on the GridTime 3000 web management interface (PR:L per CVSS 4.0). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.1 (Medium) reflects network accessibility (AV:N), low complexity (AC:L), a low-privilege prerequisite (PR:L), and passive user interaction (UI:P), with integrity and availability impacts rated low on the vulnerable system (VI:L/VA:L) and no impact on subsequent systems (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privilege account on the GridTime 3000 web interface crafts a CSRF request that, when an authenticated administrator visits a malicious external page or link, fires against the device and triggers execution of attacker-controlled JavaScript within the administrator's browser session against the device UI. The CVSS 4.0 E:A metric indicates this type of exploitation has been reported in the wild. … |
| Remediation | Consult the Microchip vendor advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/gridtime-3000-gnss-time-server-csrf-to-xss for firmware patch availability; no specific patched firmware version number is confirmed in the currently available data, so the advisory is the authoritative source for the exact fix version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gridtime 3000
View allDOM-based cross-site scripting in Microchip's GridTime 3000 GNSS Time Server allows an authenticated attacker to inject
Open redirect in Microchip's GridTime 3000 GNSS Time Server allows authenticated low-privilege users to manipulate the p
Access token exposure in Microchip's GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) leaks authentica
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38038
GHSA-5vv7-m3jr-rp6c