Skip to main content

Gridtime 3000

4 CVEs product

Monthly

CVE-2026-12620 MEDIUM This Month

Access token exposure in Microchip's GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) leaks authentication credentials via URL query parameters on certain management endpoints. Any party capable of observing network traffic, server access logs, HTTP Referer headers, or browser history during a high-privilege administrator session can harvest the exposed token and subsequently impersonate that session. The vendor-supplied CVSS 4.0 vector includes E:A (Exploit Maturity: Attacked), indicating that exploitation activity has been observed in the field, elevating practical urgency beyond what the moderate base score alone implies.

Information Disclosure Gridtime 3000
NVD VulDB
CVSS 4.0
4.6
EPSS
0.2%
CVE-2026-12621 MEDIUM This Month

DOM-based cross-site scripting in Microchip's GridTime 3000 GNSS Time Server allows an authenticated attacker to inject malicious JavaScript through the device's password reset form, executing arbitrary script in the browser context of any user who subsequently loads the affected page. The vulnerability spans versions 1.0r0.03 through all releases before 1.2r0.0. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; however, the network-accessible web interface and low-privilege authentication requirement make this exploitable in typical enterprise or utility network deployments where the device's management UI is reachable.

XSS Gridtime 3000
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-12622 MEDIUM This Month

Open redirect in Microchip's GridTime 3000 GNSS Time Server allows authenticated low-privilege users to manipulate the post-submission redirect destination of the password change form, enabling phishing and credential harvesting attacks against administrators. All firmware versions from 1.0r0.03 through 1.1r0.0 are confirmed affected per vendor self-disclosure. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.

Open Redirect Gridtime 3000
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-12619 MEDIUM This Month

Cross-site scripting in Microchip GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) permits authenticated low-privilege attackers to inject and execute malicious scripts in the browser sessions of higher-privileged users via a CSRF-to-XSS attack chain. The CVSS 4.0 Threat metric E:A signals active exploitation has been reported by the vendor, elevating urgency beyond what the 5.1 base score alone implies. Despite limited per-impact ratings, compromise of the web management interface of a critical time-synchronization appliance carries downstream risk to time-dependent infrastructure.

XSS Gridtime 3000
NVD VulDB
CVSS 4.0
5.1
EPSS
0.2%
EPSS 0% CVSS 4.6
MEDIUM This Month

Access token exposure in Microchip's GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) leaks authentication credentials via URL query parameters on certain management endpoints. Any party capable of observing network traffic, server access logs, HTTP Referer headers, or browser history during a high-privilege administrator session can harvest the exposed token and subsequently impersonate that session. The vendor-supplied CVSS 4.0 vector includes E:A (Exploit Maturity: Attacked), indicating that exploitation activity has been observed in the field, elevating practical urgency beyond what the moderate base score alone implies.

Information Disclosure Gridtime 3000
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

DOM-based cross-site scripting in Microchip's GridTime 3000 GNSS Time Server allows an authenticated attacker to inject malicious JavaScript through the device's password reset form, executing arbitrary script in the browser context of any user who subsequently loads the affected page. The vulnerability spans versions 1.0r0.03 through all releases before 1.2r0.0. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; however, the network-accessible web interface and low-privilege authentication requirement make this exploitable in typical enterprise or utility network deployments where the device's management UI is reachable.

XSS Gridtime 3000
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Open redirect in Microchip's GridTime 3000 GNSS Time Server allows authenticated low-privilege users to manipulate the post-submission redirect destination of the password change form, enabling phishing and credential harvesting attacks against administrators. All firmware versions from 1.0r0.03 through 1.1r0.0 are confirmed affected per vendor self-disclosure. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.

Open Redirect Gridtime 3000
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site scripting in Microchip GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) permits authenticated low-privilege attackers to inject and execute malicious scripts in the browser sessions of higher-privileged users via a CSRF-to-XSS attack chain. The CVSS 4.0 Threat metric E:A signals active exploitation has been reported by the vendor, elevating urgency beyond what the 5.1 base score alone implies. Despite limited per-impact ratings, compromise of the web management interface of a critical time-synchronization appliance carries downstream risk to time-dependent infrastructure.

XSS Gridtime 3000
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy