Description
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Name field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.
Published: 2026-03-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

Hereta ETH‑IMC408M firmware versions 1.0.15 and earlier have a stored cross‑site scripting flaw in the Device Name field of the System Status interface. The vulnerability allows authenticated attackers to inject arbitrary JavaScript that is stored and later executed in the browsers of users who view the status page. The script runs with the privileges of the page viewer because no input sanitization is performed.

Affected Systems

The affected device is the Hereta ETH‑IMC408M network unit from Shenzhen Hereta Technology Co., Ltd. Firmware version 1.0.15 and prior are impacted; no information is given about newer firmware releases, so their status is unknown.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity, while an EPSS score of less than 1 % points to a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires that the attacker first obtain authenticated access to the device, after which the attacker can modify the Device Name field to embed malicious JavaScript. Any user who visits the affected status page will have the script executed in their browser, potentially exposing data visible to that browser session.

Generated by OpenCVE AI on April 10, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to a version newer than 1.0.15 that removes the XSS flaw
  • Restrict administrative access to trusted personnel and enforce strong authentication mechanisms
  • Avoid setting the Device Name to values that could be interpreted as code until a patch is applied
  • Monitor device logs for unexpected script execution or unauthorized changes to the Device Name field

Generated by OpenCVE AI on April 10, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Hereta
Hereta eth-imc408m
Hereta eth-imc408m Firmware
CPEs cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:*
cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:*
Vendors & Products Hereta
Hereta eth-imc408m
Hereta eth-imc408m Firmware

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m
Vendors & Products Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Name field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.
Title Hereta ETH-IMC408M Stored XSS via Device Name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Hereta Eth-imc408m Eth-imc408m Firmware
Shenzhen Hereta Technology Hereta Eth-imc408m
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-17T15:28:52.668Z

Reserved: 2026-03-04T15:39:26.871Z

Link: CVE-2026-29510

cve-icon Vulnrichment

Updated: 2026-03-16T18:06:11.191Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T18:16:08.020

Modified: 2026-04-10T17:46:37.863

Link: CVE-2026-29510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:28Z

Weaknesses