Description
Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible
Published: 2026-03-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS via XML injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an XML injection flaw in the /IDC_Logging/checkifdone.cgi script of the IDC SFX Series SuperFlex Satellite Receiver Web management interface version 101. An authenticated user can provide an unsanitized file parameter that is reflected inside a CDATA block, allowing them to inject arbitrary XML elements. This leads to reflected Cross‑Site Scripting and potentially other XML‑related attacks such as XXE. The flaw is a classic example of CWE‑91, Improper Neutralization of Input During XML Processing.

Affected Systems

International Datacasting Corporation’s SFX Series SuperFlex Satellite Receiver Web management interface, specifically firmware version 101 (SFX2100), is affected. All devices running this firmware are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, but the EPSS score below 1% suggests a very low current exploitation probability. Because the flaw requires authenticated access to the web interface, it is unlikely to be abused publicly, yet insiders or compromised credentials could exploit it. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 16, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest firmware update from International Datacasting that addresses the XML injection in /IDC_Logging/checkifdone.cgi.
  • Limit access to the web management interface to a secure network segment and enforce strong authentication so only trusted personnel can reach the endpoint.
  • Implement input sanitization on the file parameter by escaping or removing XML‑sensitive characters before processing, thereby preventing injection of arbitrary XML.

Generated by OpenCVE AI on April 16, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
CPEs cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
Vendors & Products Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared International Datacasting Corporation (idc)
International Datacasting Corporation (idc) sfx Series Superflex Satellite Receiver Web Management Interface
Vendors & Products International Datacasting Corporation (idc)
International Datacasting Corporation (idc) sfx Series Superflex Satellite Receiver Web Management Interface

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Title XML injection In /IDC_Logging/checkifdone.cgi Endpoint On IDC SFX Web Management Interface Version 101

Wed, 04 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible
Weaknesses CWE-91
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}

Subscriptions

Datacast Sfx2100 Sfx2100 Firmware
International Datacasting Corporation (idc) Sfx Series Superflex Satellite Receiver Web Management Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: Gridware

Published:

Updated: 2026-03-05T06:01:02.877Z

Reserved: 2026-03-03T09:59:08.426Z

Link: CVE-2026-28770

cve-icon Vulnrichment

Updated: 2026-03-04T16:03:11.581Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T07:16:14.093

Modified: 2026-03-09T18:23:14.410

Link: CVE-2026-28770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses