Eth Imc408M Firmware
Monthly
Hereta ETH-IMC408M devices running firmware 1.0.15 and earlier are vulnerable to cross-site request forgery attacks that allow unauthenticated remote attackers to modify device configuration through setup.cgi, including adding RADIUS accounts and altering network settings. The vulnerability exploits missing CSRF protections combined with automatic inclusion of HTTP Basic Authentication credentials, requiring only user interaction to trigger the attack. No patch is currently available.
Reflected XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables attackers to inject malicious scripts through the Network Diagnosis ping function's ping_ipaddr parameter. An attacker can craft a malicious link that, when clicked by an authenticated administrator, executes arbitrary JavaScript in their browser session, potentially compromising the device. No patch is currently available.
Stored XSS in Hereta ETH-IMC408M firmware v1.0.15 and earlier allows authenticated users to execute arbitrary JavaScript in other users' browsers via unsanitized input in the Device Location field on the System Status interface. An attacker with valid credentials can inject malicious scripts that persist and execute when legitimate users access the status page, potentially enabling session hijacking or credential theft. No patch is currently available.
Stored XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables authenticated attackers to execute arbitrary JavaScript in the System Status interface by injecting malicious code through the Device Name field. The vulnerability affects any user viewing the compromised status page, potentially leading to session hijacking or credential theft. No patch is currently available for this issue.
Hereta ETH-IMC408M devices running firmware 1.0.15 and earlier are vulnerable to cross-site request forgery attacks that allow unauthenticated remote attackers to modify device configuration through setup.cgi, including adding RADIUS accounts and altering network settings. The vulnerability exploits missing CSRF protections combined with automatic inclusion of HTTP Basic Authentication credentials, requiring only user interaction to trigger the attack. No patch is currently available.
Reflected XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables attackers to inject malicious scripts through the Network Diagnosis ping function's ping_ipaddr parameter. An attacker can craft a malicious link that, when clicked by an authenticated administrator, executes arbitrary JavaScript in their browser session, potentially compromising the device. No patch is currently available.
Stored XSS in Hereta ETH-IMC408M firmware v1.0.15 and earlier allows authenticated users to execute arbitrary JavaScript in other users' browsers via unsanitized input in the Device Location field on the System Status interface. An attacker with valid credentials can inject malicious scripts that persist and execute when legitimate users access the status page, potentially enabling session hijacking or credential theft. No patch is currently available.
Stored XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables authenticated attackers to execute arbitrary JavaScript in the System Status interface by injecting malicious code through the Device Name field. The vulnerability affects any user viewing the compromised status page, potentially leading to session hijacking or credential theft. No patch is currently available for this issue.