A stored cross‑site scripting (XSS) flaw exists in the Link Aggregation configuration interface. An unauthenticated remote attacker can create a trunk entry that contains malicious HTML or JavaScript. When any user views the affected page, the injected script runs in the victim’s browser, allowing the attacker to manipulate the user interface or perform other unauthorized actions. The session cookie is protected with the httpOnly flag, so the attacker cannot hijack an authenticated session but can still execute code while the victim is logged in.

The vulnerability affects a large range of Phoenix Contact networking equipment, including FL NAT 2008/2208, FL SWITCH series such as 2005, 2008, 2105, 2204-2TC-2SFX, 2206-2FX, 2208, 2212-2TC-2SFX, 2303-8SP1, 2404-2TC-2SFX, 2504-2GC-2SFP, 2608, 2708, and various TSN models (e.g., TSN 2312-2GC-2SFP, TSN 2314-2SFP, TSN 2316). No specific firmware or software version information is provided; any device reporting these product names may be impacted.

The CVSS score of 7.1 reflects a medium‑to‑high severity, with the vulnerability being exploitable by an unauthenticated attacker who can add a trunk entry through the web interface. The exploit requires that an attacker be able to access the link aggregation configuration page, which is typically restricted to local or internal networks. The lack of an httpOnly‑protected session cookie limits the impact to the context of the victim’s logged‑in session, but the ability to run arbitrary JavaScript remains significant. No EPSS score or KEV listing is available, indicating that the exploit probability is not documented and the vulnerability is not currently known to be exploited in the wild.