CVE-2022-50801

Vulnerability

Overview

The JM-DATA ONU JF511-TV, a GEPON home and business gateway, is vulnerable to authenticated stored cross-site scripting (XSS) in versions 1.0.55, 1.0.62, and 1.0.67 [1][2]. The vulnerability resides in the /boaform/admin/formURL endpoint, where the url parameter is not properly sanitized before being stored and later rendered in the URL filter configuration page (/secu_urlfilter_cfg_en.asp) [2]. This allows an attacker with valid credentials to inject arbitrary HTML or JavaScript code.

Exploitation

Details

An attacker must first authenticate to the device's web interface. The default credentials are user:user [2]. Once logged in, the attacker can craft a POST request to the vulnerable form, embedding a malicious payload in the url parameter. For example, the payload '>' will be stored and executed when any other authenticated user views the URL filter configuration page [2]. The attack does not require any special privileges beyond a standard user account.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of another administrator's browser session. This can lead to session hijacking, theft of authentication cookies, or further manipulation of the device's configuration through actions performed on behalf of the victim [1][4]. The CVSS v3 base score is 4.3 (Medium), reflecting the need for authenticated access and user interaction [4].

Mitigation

As of the publication date (2025-12-30), no official patch has been released by JM-DATA [3]. The vendor's website does not mention a fix or updated firmware [3]. Users are advised to change default credentials immediately, restrict network access to the management interface, and monitor for any vendor updates. The vulnerability disclosures or firmware updates [1][2].