CVE-2018-1491928.06.2019, 17:15LOYTEC LGATE-902 6.3.2 devices allow XSS.Cross-site ScriptingEnginsightProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVectorNISTNIST6.1 MEDIUMNETWORKLOWNONECVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NmitreCNA------CVEADP------Base ScoreCVSS 3.xEPSS ScorePercentile: 81%VendorProductVersionloyteclgate-902_firmware𝑥< 6.4.2𝑥= Vulnerable software versionsKnown Exploits!http://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.htmlhttp://seclists.org/fulldisclosure/2019/Apr/12https://seclists.org/fulldisclosure/2019/Apr/12http://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.htmlhttp://seclists.org/fulldisclosure/2019/Apr/12https://seclists.org/fulldisclosure/2019/Apr/12Common Weakness EnumerationCWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Referenceshttp://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.htmlhttp://seclists.org/fulldisclosure/2019/Apr/12https://seclists.org/fulldisclosure/2019/Apr/12https://www.mag-securs.com/alertes/artmid/1894/articleid/41651/loytec-lgate-902-up-to-641-alarm-log-obj-handle-cross-site-scripting.aspxhttp://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.htmlhttp://seclists.org/fulldisclosure/2019/Apr/12https://seclists.org/fulldisclosure/2019/Apr/12https://www.mag-securs.com/alertes/artmid/1894/articleid/41651/loytec-lgate-902-up-to-641-alarm-log-obj-handle-cross-site-scripting.aspx