Skip to main content

GridTime 3000 EUVDEUVD-2026-38038

| CVE-2026-12619 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 Microchip GHSA-5vv7-m3jr-rp6c
5.1
CVSS 4.0 · Vendor: Microchip
Share

Severity by source

Vendor (Microchip) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-accessible XSS via CSRF; low-privilege attacker account required (PR:L); scope changes to victim browser (S:C); no availability impact on server or browser session.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Microchip).

CVSS VectorVendor: Microchip

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 16:31 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip GridTime 3000 allows Cross-Site Scripting (XSS).

This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0.

AnalysisAI

Cross-site scripting in Microchip GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) permits authenticated low-privilege attackers to inject and execute malicious scripts in the browser sessions of higher-privileged users via a CSRF-to-XSS attack chain. The CVSS 4.0 Threat metric E:A signals active exploitation has been reported by the vendor, elevating urgency beyond what the 5.1 base score alone implies. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker acquires low-privilege device account
Delivery
Craft CSRF payload targeting vulnerable web endpoint
Exploit
Deliver malicious link to authenticated admin user
Execution
Admin passively triggers CSRF request
Persist
XSS payload executes in admin browser session
Impact
Attacker hijacks session or alters device configuration

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker possesses a valid low-privilege authenticated account on the GridTime 3000 web management interface (PR:L per CVSS 4.0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.1 (Medium) reflects network accessibility (AV:N), low complexity (AC:L), a low-privilege prerequisite (PR:L), and passive user interaction (UI:P), with integrity and availability impacts rated low on the vulnerable system (VI:L/VA:L) and no impact on subsequent systems (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privilege account on the GridTime 3000 web interface crafts a CSRF request that, when an authenticated administrator visits a malicious external page or link, fires against the device and triggers execution of attacker-controlled JavaScript within the administrator's browser session against the device UI. The CVSS 4.0 E:A metric indicates this type of exploitation has been reported in the wild. …
Remediation Consult the Microchip vendor advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/gridtime-3000-gnss-time-server-csrf-to-xss for firmware patch availability; no specific patched firmware version number is confirmed in the currently available data, so the advisory is the authoritative source for the exact fix version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38038 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy