Description
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Name field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.
Published: 2026-03-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Hereta ETH‑IMC408M firmware version 1.0.15 and earlier contain a stored cross‑site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Name field. The malicious script is persisted on the device and executes automatically in any browser that displays the System Status page, enabling client‑side code execution, defacement of the UI, or hijacking of user sessions when administrators or other privileged users access the status interface.

Affected Systems

The flaw affects the Hereta ETH‑IMC408M device from Shenzhen Hereta Technology Co., Ltd. All firmware releases 1.0.15 and earlier are vulnerable. No additional sub‑version ranges are specified.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. Attacker must first authenticate to the device’s management interface to modify the Device Name field. Once the script is stored, it runs automatically for all browsers that load the System Status page, posing significant risk to confidentiality and integrity of user sessions.

Generated by OpenCVE AI on March 17, 2026 at 11:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware release (greater than 1.0.15) released by Shenzhen Hereta if available.
  • If no newer firmware exists, restrict or disable the Device Name field in the device configuration to prevent input of arbitrary text.
  • Disable or limit external access to the System Status interface for non‑trusted networks.
  • Use a web‑application firewall or browser security extensions to block cross‑site scripting when accessing the device interface.

Generated by OpenCVE AI on March 17, 2026 at 11:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m
Vendors & Products Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Name field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.
Title Hereta ETH-IMC408M Stored XSS via Device Name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Shenzhen Hereta Technology Hereta Eth-imc408m
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-17T15:28:52.668Z

Reserved: 2026-03-04T15:39:26.871Z

Link: CVE-2026-29510

cve-icon Vulnrichment

Updated: 2026-03-16T18:06:11.191Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T18:16:08.020

Modified: 2026-03-17T16:16:21.340

Link: CVE-2026-29510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:11Z

Weaknesses