VYPR
Unrated severityNVD Advisory· Published Jul 20, 2021· Updated Aug 4, 2024

CVE-2020-25205

CVE-2020-25205

Description

The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 is vulnerable to stored XSS in the set_banner() function of /var/www/core/controller/index.php. An unauthenticated attacker may set the contents of the /mnt/jffs2/banner.txt file, stored on the device's filesystem, to contain arbitrary JavaScript. The file contents are then used as part of a welcome/banner message presented to unauthenticated users who visit the login page for the web console. This vulnerability does not occur in the older 1.5.x firmware versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

4
  • Mimosa/B5, B5c, and C5x firmwaredescription
  • Mimosa/B5llm-create
    Range: <= 2.8.0.2
  • Mimosa/B5cllm-create
    Range: <= 2.8.0.2
  • Mimosa/C5xllm-create
    Range: <= 2.8.0.2

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.