CVE-2018-16061
Description
Mitsubishi Electric SmartRTU devices are vulnerable to reflected XSS via the username parameter or PATH_INFO in login.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mitsubishi Electric SmartRTU devices are vulnerable to reflected XSS via the username parameter or PATH_INFO in login.php.
Vulnerability
Mitsubishi Electric Europe B.V. SmartRTU devices are affected by a reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability exists in the login.php script and can be triggered by injecting malicious scripts into the username parameter or the PATH_INFO component of the request URL. The specific affected versions are not detailed beyond 'ME RTU' [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL or POST request that includes JavaScript payloads within the username parameter or the PATH_INFO. For example, a POST request to /login.php/srdzz'onmouseover%3d'alert(1)'style%3d'position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b'bsmy8 with a specially crafted username value can trigger the XSS. User interaction is required, as the victim must visit the malicious link or interact with the crafted request [1].
Impact
Successful exploitation of this reflected XSS vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session. This can lead to session hijacking, credential theft, or redirection to malicious websites, depending on the payload delivered. The impact is limited to the privileges of the logged-in user whose session is compromised [1].
Mitigation
No specific patched version or release date for a fix has been disclosed in the available references. Users are advised to consult Mitsubishi Electric for updated information. There are no known workarounds or EOL status information available at this time [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Mitsubishi Electric Europe B.V./SmartRTU devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not properly sanitize user-supplied input in the username parameter and PATH_INFO, leading to reflected cross-site scripting."
Attack vector
An attacker can exploit this vulnerability by crafting a malicious request that includes JavaScript code within the username parameter or the PATH_INFO of the login.php script [ref_id=1]. This script is then reflected in the application's response without proper sanitization, executing the injected code in the user's browser [ref_id=1]. The exploit demonstrates injecting an `onmouseover` event handler into the form tag, which triggers an alert when the mouse hovers over it [ref_id=1].
Affected code
The vulnerability exists in the login.php script, specifically in how it handles the username parameter and the PATH_INFO. The provided exploit request shows that the injected payload is placed within the `action` attribute of the form tag in the response, indicating a lack of sanitization for these input vectors [ref_id=1].
What the fix does
The patch is not available in the provided information. The advisory does not specify remediation steps or a fix.
Preconditions
- networkThe attacker must be able to send HTTP requests to the vulnerable device.
- inputThe attacker must be able to control the username parameter or the PATH_INFO.
Reproduction
POST /login.php/srdzz'onmouseover%3d'alert(1)'style%3d'position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b'bsmy8 HTTP/1.1 Host: **.**.**.*** Content-Length: 132 Cache-Control: max-age=0 Origin: http://**.**.**.*** Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://**.**.**.***sss/login.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=el8pvccq5747u4qj9koio950l7 Connection: close
submitted=1&username=--%3E%27%22%2F%3E%3C%2FsCript%3E%3CsvG+x%3D%22%3E%22+onload%3D%28co%5Cu006efirm%29%60%60&password=&Submit=Login [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.