CVE-2026-30695
Cross-Site Scripting in Zucchetti Axess Web Configuration Interface
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zucchetti | axess | * |
| zucchetti | xa4 | h06_build_5522 |
| zucchetti | x3 | x02_build_4163 |
| zucchetti | xio | h06_build_5522 |
| zucchetti | idoor_plus | h06_build_5522 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30695 is a Cross-Site Scripting (XSS) vulnerability found in the web-based configuration interface of Zucchetti Axess access control devices, such as XA4, X3/X3BIO, X4, X7, XIO, i-door, and i-door+. The issue arises because the device does not properly sanitize user input in the dirBrowse parameter of the /file_manager.cgi endpoint.
An attacker who is authenticated can exploit this vulnerability by injecting malicious JavaScript code through the dirBrowse parameter. This code then executes in the context of an administrative user, potentially allowing the attacker to hijack sessions, make unauthorized configuration changes, or access sensitive information.
How can this vulnerability impact me? :
The vulnerability can have serious impacts including session hijacking, where an attacker takes over an administrative session; privilege escalation, allowing the attacker to gain higher access rights; and credential theft, exposing sensitive login information.
These impacts can lead to unauthorized changes in the device configuration and disclosure of sensitive data, potentially compromising the security and operation of the access control system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /file_manager.cgi endpoint of the Zucchetti Axess access control devices for improper sanitization of the dirBrowse parameter.'}, {'type': 'paragraph', 'content': 'A common method is to send a crafted GET request injecting a script tag into the dirBrowse parameter and observing if the script executes, indicating a Cross-Site Scripting (XSS) vulnerability.'}, {'type': 'paragraph', 'content': 'For example, you can use the following curl command to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -k -u <username>:<password> "http://<device-ip>/file_manager.cgi?dirBrowse=<script>alert(1)</script>"'}, {'type': 'paragraph', 'content': 'If the response contains the injected script without proper encoding or sanitization, the device is vulnerable.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the web-based configuration interface to trusted networks and users only.
Ensure that only authenticated and authorized users can access the /file_manager.cgi endpoint.
Monitor and filter input to the dirBrowse parameter to prevent injection of malicious scripts.
If available, apply any vendor-provided patches or firmware updates that address this vulnerability.
Additionally, consider implementing web application firewalls (WAF) rules to detect and block XSS attack patterns targeting this endpoint.