CVE-2024-28142
Description
Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page (/cgi/uset.cgi?-cfilename) in the User Settings menu improperly filters the "file name" and wildcard character input field. By exploiting the wildcard character feature, attackers are able to store arbitrary Javascript code which is being triggered if the page is viewed afterwards, e.g. by higher privileged users such as admins.
This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the file name parameter of the "Default" User can be changed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Image Access Scan2Net's 'File Name' parameter allows unauthenticated attackers to execute arbitrary JavaScript in admin browsers.
Vulnerability
Overview
The vulnerability is a stored cross-site scripting (XSS) issue in the Image Access Scan2Net firmware, affecting the 'File Name' parameter in the User Settings menu. The endpoint /cgi/uset.cgi?-cfilename fails to properly sanitize user input, particularly when using the wildcard character feature. This allows an attacker to inject arbitrary JavaScript code that is stored on the server and executed when the page is viewed by other users [1].
Exploitation
An attacker can exploit this vulnerability without authentication because the affected functions are not fully protected. Without logging in, the attacker can modify the file name parameter for the 'Default' user. When a higher-privileged user, such as an administrator, subsequently views the User Settings page, the injected JavaScript executes in their browser session [1].
Impact
Successful exploitation enables the attacker to run arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, theft of sensitive data, or further attacks against the Scan2Net device and its network. The vulnerability is part of a larger set of critical flaws discovered in the Scan2Net platform [1].
Mitigation
The vendor has addressed this vulnerability in firmware version 7.42B. Users are strongly advised to update their devices to this or a later version to remediate the issue. No workarounds are documented, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.