{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-36748", "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "state": "PUBLISHED", "assignerShortName": "DIVD", "dateReserved": "2025-04-15T21:54:36.814Z", "datePublished": "2025-12-13T08:16:23.523Z", "dateUpdated": "2025-12-16T11:02:11.082Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ShineLan-X", "vendor": "Growatt", "versions": [{"lessThanOrEqual": "3.6.0.2", "status": "affected", "version": "3.6.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Hamid Rahmouni"}, {"lang": "en", "type": "analyst", "value": "Victor Pasman"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "ShineLan-X contains\u00a0a stored cross site scripting (XSS) vulnerability in the local configuration\u00a0web server. The JavaScript code snippet can be inserted\u00a0in the communication module\u2019s settings center. This may allow attackers to force a\u00a0legitimate user\u2019s browser\u2019s JavaScript engine to run malicious code."}], "value": "ShineLan-X contains\u00a0a stored cross site scripting (XSS) vulnerability in the local configuration\u00a0web server. The JavaScript code snippet can be inserted\u00a0in the communication module\u2019s settings center. This may allow attackers to force a\u00a0legitimate user\u2019s browser\u2019s JavaScript engine to run malicious code."}], "impacts": [{"capecId": "CAPEC-441", "descriptions": [{"lang": "en", "value": "CAPEC-441 Malicious Logic Insertion"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.4, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "shortName": "DIVD", "dateUpdated": "2025-12-16T11:02:11.082Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://csirt.divd.nl/CVE-2025-36748/"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T20:27:50.124259Z", "id": "CVE-2025-36748", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T20:33:24.697Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-36748", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T20:27:50.124259Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T20:27:51.260Z"}}], "cna": {"title": "Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Hamid Rahmouni"}, {"lang": "en", "type": "analyst", "value": "Victor Pasman"}], "impacts": [{"capecId": "CAPEC-441", "descriptions": [{"lang": "en", "value": "CAPEC-441 Malicious Logic Insertion"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Growatt", "product": "ShineLan-X", "versions": [{"status": "affected", "version": "3.6.0.0", "versionType": "semver", "lessThanOrEqual": "3.6.0.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://csirt.divd.nl/CVE-2025-36748/", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "ShineLan-X contains\u00a0a stored cross site scripting (XSS) vulnerability in the local configuration\u00a0web server. The JavaScript code snippet can be inserted\u00a0in the communication module\u2019s settings center. This may allow attackers to force a\u00a0legitimate user\u2019s browser\u2019s JavaScript engine to run malicious code.", "supportingMedia": [{"type": "text/html", "value": "ShineLan-X contains\u00a0a stored cross site scripting (XSS) vulnerability in the local configuration\u00a0web server. The JavaScript code snippet can be inserted\u00a0in the communication module\u2019s settings center. This may allow attackers to force a\u00a0legitimate user\u2019s browser\u2019s JavaScript engine to run malicious code.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "shortName": "DIVD", "dateUpdated": "2025-12-16T11:02:11.082Z"}}}, "cveMetadata": {"cveId": "CVE-2025-36748", "state": "PUBLISHED", "dateUpdated": "2025-12-16T11:02:11.082Z", "dateReserved": "2025-04-15T21:54:36.814Z", "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "datePublished": "2025-12-13T08:16:23.523Z", "assignerShortName": "DIVD"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:growatt:shine_lan-x_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1176EDB4-C08F-4592-8C16-321A8A0539C4", "versionEndExcluding": "3.6.0.2", "versionStartIncluding": "3.6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:growatt:shine_lan-x:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD537AAA-F836-496A-BC05-6CAED38FB271", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ShineLan-X contains\u00a0a stored cross site scripting (XSS) vulnerability in the local configuration\u00a0web server. The JavaScript code snippet can be inserted\u00a0in the communication module\u2019s settings center. This may allow attackers to force a\u00a0legitimate user\u2019s browser\u2019s JavaScript engine to run malicious code."}], "id": "CVE-2025-36748", "lastModified": "2026-01-14T18:05:12.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "csirt@divd.nl", "type": "Secondary"}]}, "published": "2025-12-13T16:16:53.850", "references": [{"source": "csirt@divd.nl", "tags": ["Third Party Advisory"], "url": "https://csirt.divd.nl/CVE-2025-36748/"}], "sourceIdentifier": "csirt@divd.nl", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "csirt@divd.nl", "type": "Secondary"}]}

{}

{"created": "2025-12-14T21:14:30.028690+00:00", "updated": "2025-12-14T21:14:30.028720+00:00", "vendors": ["growatt", "growatt$PRODUCT$shinelan-x"]}