Vulnerability Description
P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html.
CVSS Score
LOW
Related Weaknesses (CWE)
References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/176993
- https://packetstormsecurity.com/files/156170/P5-FNIP-8x16A-FNIP-4xSH-1.0.20-CSRF
- https://www.exploit-db.com/exploits/48362
- https://www.p5.hu/
- https://www.vulncheck.com/advisories/p-fnip-xafnip-xsh-stored-cross-site-scripti
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php
FAQ
What is CVE-2020-37148?
CVE-2020-37148 is a vulnerability with a CVSS score of 3.5 (LOW). P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned ...
How severe is CVE-2020-37148?
CVE-2020-37148 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-37148?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.