Description
A Reflected Cross-Site Scripting (XSS) vulnerability in the /IDC_Logging/index.cgi endpoint of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 allows a remote attacker to execute arbitrary web scripts or HTML. The vulnerability is triggered by sending a crafted payload through the `submitType` parameter, which is reflected directly into the DOM without proper escaping.
Published: 2026-03-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting flaw in the /IDC_Logging/index.cgi endpoint of the SFX Series SuperFlex SatelliteReceiver Web Management Interface. An unauthenticated remote attacker can inject arbitrary HTML or JavaScript by supplying a specially crafted value to the submitType parameter. When the parameter value is incorporated into the page without escaping, the attack can execute code in the context of the interface, enabling attackers to hijack user sessions, deface the UI, or perform phishing attacks against operators.

Affected Systems

International Datacasting Corporation’s SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 is affected. Users running firmware versions corresponding to the SFX2100 series, as identified by the vendor’s cpe entries for the device and its firmware, are at risk.

Risk and Exploitability

The CVSS base score is 5.1, indicating a medium severity exposure. The EPSS score of less than 1% suggests that exploitation probability is low in the near term, and the vulnerability is not currently catalogued in CISA’s KEV list. However, because the attack vector is purely remote and requires only the ability to send requests to the web interface, a motivated actor could exploit it if the interface is exposed to the internet or an internal network without adequate segregation. The required conditions are minimal: generic HTTP request with a crafted submitType value; no authentication or privileged access is needed.

Generated by OpenCVE AI on April 16, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any vendor firmware upgrade that removes the reflected XSS issue.
  • If a firmware update is not available, block or disable the /IDC_Logging/index.cgi endpoint on the device’s web server or via network controls.
  • Add server‑side input validation and proper escaping for the submitType parameter in the web application to prevent user-supplied data from being reflected unchanged.

Generated by OpenCVE AI on April 16, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
CPEs cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
Vendors & Products Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 05 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared International Datacasting Corporation (idc)
International Datacasting Corporation (idc) sfx Series Superflex Satellitereceiver Web Management Interface
Vendors & Products International Datacasting Corporation (idc)
International Datacasting Corporation (idc) sfx Series Superflex Satellitereceiver Web Management Interface

Wed, 04 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Title Reflected XSS in Logging Index endpoint Reflected XSS in IDC_Logging Index endpoint

Wed, 04 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability in the /IDC_Logging/index.cgi endpoint of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 allows a remote attacker to execute arbitrary web scripts or HTML. The vulnerability is triggered by sending a crafted payload through the `submitType` parameter, which is reflected directly into the DOM without proper escaping.
Title Reflected XSS in Logging Index endpoint
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Datacast Sfx2100 Sfx2100 Firmware
International Datacasting Corporation (idc) Sfx Series Superflex Satellitereceiver Web Management Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: Gridware

Published:

Updated: 2026-03-05T06:00:30.449Z

Reserved: 2026-03-03T09:59:08.426Z

Link: CVE-2026-28772

cve-icon Vulnrichment

Updated: 2026-03-04T19:51:26.576Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T08:16:13.333

Modified: 2026-03-09T18:23:37.540

Link: CVE-2026-28772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses