Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /index.cgi endpoint of International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101. The application fails to adequately sanitize user-supplied input provided via the `cat` parameter before reflecting it in the HTTP response, allowing a remote attacker to execute arbitrary HTML or JavaScript in the victim's browser context.
Published: 2026-03-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS via /index.cgi
Action: Apply Patch
AI Analysis

Impact

A Reflected Cross‑Site Scripting flaw exists in the /index.cgi endpoint of the IDC SFX Series SuperFlex Satellite Receiver Web Management Interface, version 101. The application does not adequately sanitize the user‑supplied cat parameter before reflecting it in the HTTP response, enabling an attacker to inject arbitrary HTML or JavaScript that runs in a victim’s browser. This can lead to session hijacking, malicious data disclosure, or additional client‑side attacks within the context of the authenticated user, and is classified as CWE‑79 where improper output encoding is used.

Affected Systems

International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface, specifically firmware version 101. Devices running this firmware are vulnerable; no other products or versions are listed as affected.

Risk and Exploitability

The CVSS score is 5.1, indicating moderate severity, while the EPSS score is below 1%, indicating very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation is remote and requires only access to the web endpoint; an attacker can craft a URL with a malicious cat value and lure a victim to visit it. The impact is confined to the victim’s browser session, but if the interface has elevated privileges or integrated authentication it could have broader consequences. Exposure of the interface to the public Internet raises the risk; internal or firewall‑protected access reduces the likelihood.

Generated by OpenCVE AI on April 16, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and flash the latest firmware update from IDC that addresses the XSS vulnerability.
  • Place the device behind a VPN or firewall and restrict direct web‑management access from the public network.
  • Configure the web server to enforce content‑security‑policy headers or otherwise sanitize the cat parameter to mitigate script execution.

Generated by OpenCVE AI on April 16, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
CPEs cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
Vendors & Products Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 05 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared International Datacasting Corporation (idc)
International Datacasting Corporation (idc) sfx Series Superflex Satellite Receiver Web Management Interface
Vendors & Products International Datacasting Corporation (idc)
International Datacasting Corporation (idc) sfx Series Superflex Satellite Receiver Web Management Interface

Wed, 04 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS In /index.cgi Endpoint On IDC Satellite Receiver Web Management Interface Version 101

Wed, 04 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /index.cgi endpoint of International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101. The application fails to adequately sanitize user-supplied input provided via the `cat` parameter before reflecting it in the HTTP response, allowing a remote attacker to execute arbitrary HTML or JavaScript in the victim's browser context.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Datacast Sfx2100 Sfx2100 Firmware
International Datacasting Corporation (idc) Sfx Series Superflex Satellite Receiver Web Management Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: Gridware

Published:

Updated: 2026-03-05T06:00:45.803Z

Reserved: 2026-03-03T09:59:08.426Z

Link: CVE-2026-28771

cve-icon Vulnrichment

Updated: 2026-03-04T20:00:46.425Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T08:16:13.173

Modified: 2026-03-09T18:23:27.060

Link: CVE-2026-28771

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses