Description
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Location field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.
Published: 2026-03-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Firmware
AI Analysis

Impact

Key detail from CVE description: the vulnerability is a stored cross‑site scripting flaw in the Device Location field of Hereta ETH‑IMC408M firmware that allows authenticated attackers to inject arbitrary JavaScript, which is retained and executed when any user views the System Status page in a browser without input sanitation. This constitutes a CWE‑79 weakness. Based on the description, it is inferred that an attacker could use the injected script to steal session cookies, hijack user sessions, or deface the status page, but these specific impacts are not explicitly stated in the CVE description. The primary impact is stored XSS that can affect all users who view the affected page.

Affected Systems

Shenzhen Hereta Technology Co., Ltd. produces the Hereta ETH‑IMC408M device. Firmware versions 1.0.15 and earlier are affected. No other vendors or product families are mentioned in the available data.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting limited public exploitation. Attackers must first authenticate to the System Status interface, requiring privileged or legitimate credentials, implying the threat comes from an insider or compromised account. Because the XSS data is stored, malicious code persists on the device until removed, potentially exposing all users who later visit the status page. The overall risk is moderate; organizations should apply a patch as soon as possible.

Generated by OpenCVE AI on March 17, 2026 at 12:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Hereta firmware update that fixes the XSS flaw; verify functionality after installation.
  • If no patch is available, restrict or disable the System Status interface for users who do not need it, or block the Device Location field from accepting input via firewall or access‑control rules.
  • Implement server‑side input validation or sanitization on the Device Location field to eliminate script injection before storing the data.
  • Validate all changes in a testing environment to confirm operational continuity before applying to production.

Generated by OpenCVE AI on March 17, 2026 at 12:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m
Vendors & Products Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Location field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.
Title Hereta ETH-IMC408M Stored XSS via Device Location
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Shenzhen Hereta Technology Hereta Eth-imc408m
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-17T15:29:07.351Z

Reserved: 2026-03-04T15:39:26.872Z

Link: CVE-2026-29513

cve-icon Vulnrichment

Updated: 2026-03-16T18:09:49.342Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T18:16:08.190

Modified: 2026-03-17T16:16:21.570

Link: CVE-2026-29513

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:12Z

Weaknesses