CVE-2019-25323
Description
Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outputSetup.htm page that allows attackers to inject malicious HTML code through the outputtitle parameter. Attackers can craft specially formatted POST requests to the outputtitle parameter to execute arbitrary HTML and potentially manipulate the web interface's displayed content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heatmiser Netmonitor v3.03 is vulnerable to HTML injection via the outputtitle parameter in outputSetup.htm, allowing attackers to inject arbitrary HTML.
Vulnerability
Overview
CVE-2019-25323 describes an HTML injection vulnerability in Heatmiser Netmonitor version 3.03. The flaw resides in the outputSetup.htm page, where the outputtitle parameter fails to properly neutralize user-supplied input before being rendered in the web interface. This is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating a cross-site scripting-like weakness [3]. The vulnerability allows an attacker to inject arbitrary HTML code, which is then executed in the context of the affected page.
Exploitation
Details
An attacker can exploit this vulnerability by sending a specially crafted POST request to the /outputSetup.htm endpoint. The exploit requires no authentication, as the device's web interface appears to be accessible without credentials [2]. The attacker must have network access to the Netmonitor device, typically on the local network. The provided exploit example demonstrates injecting a `` tag, but any HTML can be injected, including scripts if the context allows (though the primary classification is HTML injection, not stored XSS) [2].
Impact
Successful exploitation enables an attacker to manipulate the displayed content of the web interface. This could be used for phishing attacks, defacement, or to mislead users into performing actions that compromise security. Since the injection occurs in the output setup page, it may affect how device configurations are presented, potentially leading to misconfiguration or data exposure.
Mitigation
Status
As of the latest references, no official patch has been released by Heatmiser to address this vulnerability. The vendor's website [1] does not mention any security updates for Netmonitor. Users are advised to restrict network access to the Netmonitor device to trusted networks only and to monitor for any future firmware updates. The vulnerability is listed in the Exploit Database [2] and tracked by VulnCheck [3], but it has not been added to the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = v3.03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.