CVE-2018-10700
Description
An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XSS vulnerability in Moxa AWK-3121 firmware 1.19 allows remote attackers to inject arbitrary JavaScript via the iw_board_deviceName POST parameter.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the device name change functionality of Moxa AWK-3121 devices running firmware version 1.19 [1]. The web application does not properly sanitize the iw_board_deviceName POST parameter, enabling an administrator-level user to inject arbitrary script code [1].
Exploitation
An attacker must first obtain administrative credentials to access the device management interface [1]. Once authenticated, the attacker can send a crafted POST request containing a malicious XSS payload in the iw_board_deviceName parameter [1]. The payload is then stored and executed when any user views the device's configuration page.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the affected device [1]. This can lead to session hijacking, defacement, or theft of sensitive configuration data.
Mitigation
The vendor, Moxa, has not released a patched firmware version for the AWK-3121 to address this issue. The affected model is listed as end-of-life (EOL) and no longer receives firmware updates [1]. Administrators should restrict management interface access to trusted IP addresses and limit administrative privileges to reduce exposure.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Moxa/AWK-3121description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153223/Moxa-AWK-3121-1.14-Information-Disclosure-Command-Execution.htmlmitrex_refsource_MISC
- github.com/samuelhuntley/Moxa_AWK_1121/blob/master/Moxa_AWK_1121mitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.