Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip GridTime 3000 allows Cross-Site Scripting (XSS).

This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0.
Published: 2026-06-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralisation of input during web page generation allows an attacker to inject malicious scripts into the user interface of the GridTime 3000 GNSS Time Server. This cross‑site scripting flaw (CWE‑79) enables code to run in the context of the web interface when a user views a page, potentially exposing sensitive information or allowing unauthorized interaction with the device.

Affected Systems

Microchip GridTime 3000 firmware versions 1.0r0.03 through 1.1r0.0 are affected. Versions 1.2r0.0 and later incorporate enhanced CSRF protection and input sanitisation that mitigate the issue.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. No EPSS score is available, suggesting no publicly known exploit prevalence; however, the attack vector is likely through the web interface, using CSRF to deliver malicious input. Based on the description, it is inferred that an attacker can inject scripts by sending crafted HTTP requests to the device’s management endpoints. The specific authentication requirements for exploitation are not detailed in the available data.

Generated by OpenCVE AI on June 19, 2026 at 20:59 UTC.

Remediation

Vendor Solution

Upgrade GridTime 3000 GNSS Time Server to the latest firmware. As of the firmware release 1.2r0.0, CSRF protections and parameter sanitization have been improved to not allow execution of arbitrary queries.


OpenCVE Recommended Actions

  • Upgrade the device to firmware 1.2r0.0 or later, which removes the CSRF and XSS issue.
  • Restrict access to the GridTime web management interface to trusted network segments or VPN connections to limit exposure to malicious input.
  • Implement a web application firewall or similar gateway protection to detect and block injection attempts and enforce strict input sanitisation.

Generated by OpenCVE AI on June 19, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Microchip
Microchip gridtime 3000
Vendors & Products Microchip
Microchip gridtime 3000

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip GridTime 3000 allows Cross-Site Scripting (XSS). This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0.
Title GridTime™ 3000 GNSS Time Server CSRF to XSS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:A'}


Subscriptions

Microchip Gridtime 3000
cve-icon MITRE

Status: PUBLISHED

Assigner: Microchip

Published:

Updated: 2026-06-29T05:22:52.398Z

Reserved: 2026-06-18T14:14:48.848Z

Link: CVE-2026-12619

cve-icon Vulnrichment

Updated: 2026-06-22T16:44:53.035Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:43Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')