CVE-2019-14478
Description
AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting (XSS) vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript code in the context of the user's browser if the victim opens or searches for a node whose "Display Name" contains an XSS payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AdRem NetCrunch 10.6.0.4587 web client fails to encode node display names, enabling stored XSS when a victim opens or searches for a malicious node.
Vulnerability
AdRem NetCrunch versions 10.6.0.4587 and possibly earlier contain a stored Cross-Site Scripting (XSS) vulnerability in the web client. The application does not properly encode user-supplied input when echoing the "Display Name" of a monitored node back to the user's browser. An attacker with authenticated access to the NetCrunch server can store an XSS payload in a node's display name, and when any victim (including privileged users) opens or searches for that node, the payload executes in the browser context [1].
Exploitation
An attacker must have authenticated access to the NetCrunch monitoring server to create or modify a node with a malicious "Display Name" containing JavaScript code. The attack is performed remotely, without requiring any special network position beyond connectivity to the NetCrunch web interface. No user interaction beyond a victim opening or searching for the crafted node is required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser session in the context of the NetCrunch web application. This can lead to session hijacking, data exfiltration (including credentials stored for monitored systems), and further compromise of the monitoring server, which holds privileged credentials for monitored systems [1].
Mitigation
The vulnerability is fixed in AdRem NetCrunch versions 11.0.0.5282 and later, which implement proper output encoding and add the HttpOnly flag to session cookies. Users should upgrade to NetCrunch 11.0.0.5282 or later. If upgrading is not immediately possible, access to the web client should be restricted to trusted users only, and untrusted user input for node display names should be avoided. No workaround short of the upgrade is documented [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- AdRem/NetCrunchdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- compass-security.com/fileadmin/Research/Advisories/2020-12_CSNC-2019-013_AdRem_NetCrunch_Cross-Site_Scripting_XSS.txtmitrex_refsource_MISC
- www.adremsoft.com/support/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.