CVE-2025-0193

Stored Cross-site Scripting (XSS) Vulnerability in the MGate 5121/5122/5123 Series

CVSS 5.2 MEDIUMEPSS 0.3%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.2EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

15 Jan 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A stored Cross-site Scripting (XSS) vulnerability exists in the MGate 5121/5122/5123 Series firmware version v1.0 because of insufficient sanitization and encoding of user input in the "Login Message" functionality. An authenticated attacker with administrative access can exploit this vulnerability to inject malicious scripts that are continuously stored on the device. These scripts are executed when other users access the login page, potentially resulting in unauthorized actions or other impacts, depending on the user's privileges.

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Affected products

Moxa · MGate 5121 Series Moxa · MGate 5122 Series Moxa · MGate 5123 Series

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.moxa.com/en/support/product-support/security-advisory/mpsa-247733-cve-2025-0193-stored-cross-site-scripting-(xss)-vulnerability-in-the-mgate-5121-5122-5123-series