{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T05:25:48.991","vulnerabilities":[{"cve":{"id":"CVE-2026-29513","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-03-16T18:16:08.190","lastModified":"2026-04-10T17:44:34.403","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Location field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation."},{"lang":"es","value":"Hereta ETH-IMC408M firmware versión 1.0.15 y anteriores contienen una vulnerabilidad de cross-site scripting almacenado que permite a atacantes autenticados inyectar JavaScript arbitrario manipulando el campo Device Location. Los atacantes pueden inyectar scripts maliciosos a través de la interfaz System Status que se ejecutan en los navegadores de los usuarios que ven la página de estado sin saneamiento de entrada."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"1.0.15","matchCriteriaId":"9E114378-9A8F-4EC3-A7B3-89DF7D6BBEC0"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:*","matchCriteriaId":"D3C670E1-A5ED-4FC7-8150-0B62411371F9"}]}]}],"references":[{"url":"https://web.archive.org/web/20250820105319/http://hereta.com/","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://www.vulncheck.com/advisories/hereta-eth-imc408m-stored-xss-via-device-location","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}}]}