Description
Improper neutralization of input during web page generation XSS
vulnerability in the GridTime 3000 (password reset form) allows XSS.
This issue affects GridTime 3000: from 1.0r0.03 before 1.2r0.0.
Published: 2026-06-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an XSS flaw caused by improper neutralization of input during web page generation in the GridTime 3000 password reset form. It allows arbitrary JavaScript to be executed in the browser of an end‑user who follows the redirect after a password reset. Based on the description, it is inferred that an attacker could hijack sessions or deface pages through this injection, compromising confidentiality and integrity of the web interface.

Affected Systems

Microchip GridTime 3000 GNSS Time Server firmware versions from 1.0r0.03 to, but not including, 1.2r0.0 are affected. Devices running the GridTime 3000 product line should verify their firmware revision against this range.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, implying a lower likelihood of widespread exploitation. The likely attack vector is client side, requiring an end‑user to visit the password reset page after being directed to it; exploitation typically relies on social engineering or user interaction with the web interface. Based on the description, it is inferred that the vulnerability can be leveraged by an attacker to run arbitrary JavaScript in the victim’s browser.

Generated by OpenCVE AI on June 19, 2026 at 20:58 UTC.

Remediation

Vendor Solution

Upgrade GridTime 3000 GNSS Time Server to the latest firmware. As of the firmware release 1.2r0.0, parameter sanitization has been improved to not allow execution of arbitrary queries.


OpenCVE Recommended Actions

  • Upgrade the GridTime 3000 GNSS Time Server firmware to version 1.2r0.0 or later, where input sanitization for the password reset redirect has been fixed.
  • If immediate upgrade is not feasible, restrict or temporarily disable the password reset function to prevent unauthorized use of the vulnerable redirect.
  • Implement web application firewall rules that block script injection patterns in the redirect URL parameters to mitigate the risk of XSS until the firmware update is applied.

Generated by OpenCVE AI on June 19, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Microchip
Microchip gridtime 3000
Vendors & Products Microchip
Microchip gridtime 3000

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation XSS vulnerability in the GridTime 3000 (password reset form) allows XSS. This issue affects GridTime 3000: from 1.0r0.03 before 1.2r0.0.
Title Cross-Site Scripting (XSS) Vulnerability in Password Reset Redirect in GridTime™ 3000 GNSS Time Server
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Microchip Gridtime 3000
cve-icon MITRE

Status: PUBLISHED

Assigner: Microchip

Published:

Updated: 2026-06-29T05:24:24.597Z

Reserved: 2026-06-18T14:15:15.522Z

Link: CVE-2026-12621

cve-icon Vulnrichment

Updated: 2026-06-22T16:51:39.860Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:33Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')