CVE-2025-41748
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-09
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phoenix_contact | fl_switch | 3.50 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue in the pxc_Dot1xCfg.php file. An unauthenticated remote attacker can exploit it by tricking an authenticated user into clicking a malicious link. This can cause the user to unknowingly change device configuration parameters through the web-based management interface. However, the attacker cannot access system-level resources or take over the user's session because the session cookie is protected by the httpOnly flag.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to manipulate device configuration parameters by deceiving an authenticated user into clicking a crafted link. This could lead to unauthorized changes in device settings, potentially affecting device behavior or security. However, it does not allow the attacker to gain system-level access or hijack user sessions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that users are cautious about clicking on untrusted links in the web-based management interface. Since the vulnerability involves an XSS attack vector that requires user interaction, educating users to avoid suspicious links is important. Additionally, monitor for firmware updates or patches from the vendor addressing this issue and apply them promptly once available.