CVE-2019-7677

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Enphase Envoy firmware versions R3.*.*. The profileName parameter passed to the /home URI on TCP port 8888 is not sanitized, allowing injection of arbitrary JavaScript [1]. This endpoint is served by the embedded web interface of the solar inverter monitoring device.

Exploitation

An attacker must have network access to TCP port 8888 of a target Enphase Envoy device. No authentication is required to reach the /home page. By crafting a request with a malicious payload in the profileName parameter (e.g., a `` tag), the payload is stored and executed in the context of any user who later views the home page [1]. A screenshot of a successful injection is provided in the disclosure [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user visiting the affected page. This can lead to session hijacking, credential theft, or defacement of the device's web interface. The device's role in monitoring solar energy equipment means an attacker could potentially alter displayed data or mislead users.

Mitigation

The vendor has not released a patched version. As of the publication date (2019-02-09), no fix or workaround is documented [1]. Affected users should restrict network access to the Envoy device (TCP 8888) to trusted networks only, and monitor for future firmware updates from Enphase.