Impact
The vulnerability is an XSS flaw caused by improper neutralization of input during web page generation in the GridTime 3000 password reset form. It allows arbitrary JavaScript to be executed in the browser of an end‑user who follows the redirect after a password reset. Based on the description, it is inferred that an attacker could hijack sessions or deface pages through this injection, compromising confidentiality and integrity of the web interface.
Affected Systems
Microchip GridTime 3000 GNSS Time Server firmware versions from 1.0r0.03 to, but not including, 1.2r0.0 are affected. Devices running the GridTime 3000 product line should verify their firmware revision against this range.
Risk and Exploitability
The CVSS score of 5.3 indicates medium severity. EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, implying a lower likelihood of widespread exploitation. The likely attack vector is client side, requiring an end‑user to visit the password reset page after being directed to it; exploitation typically relies on social engineering or user interaction with the web interface. Based on the description, it is inferred that the vulnerability can be leveraged by an attacker to run arbitrary JavaScript in the victim’s browser.
OpenCVE Enrichment