GARO WALLBOX GLB+ T2EV7 Software Update index.jsp#settings cross site scripting
Description
A vulnerability, which was classified as problematic, was found in GARO WALLBOX GLB+ T2EV7 0.5. This affects an unknown part of the file /index.jsp#settings of the component Software Update Handler. The manipulation of the argument Reference leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254397 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: 0.5
- GARO/WALLBOX GLB+ T2EV7v5Range: 0.5
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization in the "Reference" parameter allows stored cross-site scripting."
Attack vector
An unauthenticated attacker can navigate to the device's settings page at `/index.jsp#settings`, click "Software Updates / Identification", select a wallbox, and click "Edit". The attacker then fills the "Reference" textbox with a JavaScript payload and submits the update. The payload is stored on the server and executed in the browser of any user who subsequently accesses the affected page, leading to stored cross-site scripting [ref_id=1].
Affected code
The vulnerability exists in the Software Update Handler within the file `/index.jsp#settings`. The "Reference" textbox parameter is the injection point, as shown in the researcher's PoC where the JSON value of "Reference" is modified to contain a malicious XSS payload [ref_id=1].
What the fix does
No patch or vendor response has been published. The advisory notes that the vendor was contacted early but did not respond [ref_id=1]. To remediate, the application must sanitize or encode user-supplied input in the "Reference" parameter before storing or rendering it, preventing execution of arbitrary JavaScript.
Preconditions
- networkAttacker must have network access to the device's web interface
- authNo authentication is required to access the settings page
- inputThe 'Reference' parameter is not sanitized before storage
Reproduction
1. Navigate to `http://
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- drive.google.com/file/d/1spsElvU8rgCs4gUxc662SCBjTI9VAqth/viewmitreexploit
- github.com/strik3r0x1/Vulns/blob/main/GARO_GLBDCMB-T274WO_Stored_XSS.mdmitrerelated
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.