Impact
Improper neutralisation of input during web page generation allows an attacker to inject malicious scripts into the user interface of the GridTime 3000 GNSS Time Server. This cross‑site scripting flaw (CWE‑79) enables code to run in the context of the web interface when a user views a page, potentially exposing sensitive information or allowing unauthorized interaction with the device.
Affected Systems
Microchip GridTime 3000 firmware versions 1.0r0.03 through 1.1r0.0 are affected. Versions 1.2r0.0 and later incorporate enhanced CSRF protection and input sanitisation that mitigate the issue.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. No EPSS score is available, suggesting no publicly known exploit prevalence; however, the attack vector is likely through the web interface, using CSRF to deliver malicious input. Based on the description, it is inferred that an attacker can inject scripts by sending crafted HTTP requests to the device’s management endpoints. The specific authentication requirements for exploitation are not detailed in the available data.
OpenCVE Enrichment