Search criteria
2 vulnerabilities found for FNIP-4xSH by P5
CVE-2020-37148 (GCVE-0-2020-37148)
Vulnerability from nvd – Published: 2026-02-05 16:14 – Updated: 2026-05-25 23:41
VLAI
Title
P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 - Stored Cross-Site Scripting (XSS)
Summary
P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | technical-descriptionexploit |
| https://www.exploit-db.com/exploits/48362 | exploit |
| https://packetstormsecurity.com/files/156170/P5-F… | exploit |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | third-party-advisory |
| https://www.p5.hu/ | product |
| https://www.vulncheck.com/advisories/p-fnip-xafni… | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| P5 | FNIP-8x16A |
Affected:
1.0.20
Affected: 1.0.11 |
|
| P5 | FNIP-4xSH |
Affected:
1.0.20
Affected: 1.0.11 |
Date Public
2020-01-29 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37148",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T16:57:44.332371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T16:58:39.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FNIP-8x16A",
"vendor": "P5",
"versions": [
{
"status": "affected",
"version": "1.0.20"
},
{
"status": "affected",
"version": "1.0.11"
}
]
},
{
"defaultStatus": "unknown",
"product": "FNIP-4xSH",
"vendor": "P5",
"versions": [
{
"status": "affected",
"version": "1.0.20"
},
{
"status": "affected",
"version": "1.0.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gjoko \u0027LiquidWorm\u0027 Krstic (@zeroscience)"
}
],
"datePublic": "2020-01-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user\u0027s browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the \u0027lab4\u0027 parameter in config.html."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T23:41:11.029Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Zero Science Lab Disclosure (ZSL-2020-5564)",
"tags": [
"technical-description",
"exploit"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php"
},
{
"name": "ExploitDB-48362",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48362"
},
{
"name": "Packet Storm Entry",
"tags": [
"exploit"
],
"url": "https://packetstormsecurity.com/files/156170/P5-FNIP-8x16A-FNIP-4xSH-1.0.20-CSRF-XSS.html"
},
{
"name": "IBM X-Force Vulnerability Report",
"tags": [
"third-party-advisory"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/176993"
},
{
"name": "P5 Vendor Homepage",
"tags": [
"product"
],
"url": "https://www.p5.hu/"
},
{
"name": "VulnCheck Advisory: P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 - Stored Cross-Site Scripting (XSS)",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/p-fnip-xafnip-xsh-stored-cross-site-scripting-xss"
}
],
"title": "P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 - Stored Cross-Site Scripting (XSS)",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37148",
"datePublished": "2026-02-05T16:14:54.874Z",
"dateReserved": "2026-02-03T16:27:45.309Z",
"dateUpdated": "2026-05-25T23:41:11.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37148 (GCVE-0-2020-37148)
Vulnerability from cvelistv5 – Published: 2026-02-05 16:14 – Updated: 2026-05-25 23:41
VLAI
Title
P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 - Stored Cross-Site Scripting (XSS)
Summary
P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | technical-descriptionexploit |
| https://www.exploit-db.com/exploits/48362 | exploit |
| https://packetstormsecurity.com/files/156170/P5-F… | exploit |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | third-party-advisory |
| https://www.p5.hu/ | product |
| https://www.vulncheck.com/advisories/p-fnip-xafni… | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| P5 | FNIP-8x16A |
Affected:
1.0.20
Affected: 1.0.11 |
|
| P5 | FNIP-4xSH |
Affected:
1.0.20
Affected: 1.0.11 |
Date Public
2020-01-29 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37148",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T16:57:44.332371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T16:58:39.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FNIP-8x16A",
"vendor": "P5",
"versions": [
{
"status": "affected",
"version": "1.0.20"
},
{
"status": "affected",
"version": "1.0.11"
}
]
},
{
"defaultStatus": "unknown",
"product": "FNIP-4xSH",
"vendor": "P5",
"versions": [
{
"status": "affected",
"version": "1.0.20"
},
{
"status": "affected",
"version": "1.0.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gjoko \u0027LiquidWorm\u0027 Krstic (@zeroscience)"
}
],
"datePublic": "2020-01-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user\u0027s browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the \u0027lab4\u0027 parameter in config.html."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T23:41:11.029Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Zero Science Lab Disclosure (ZSL-2020-5564)",
"tags": [
"technical-description",
"exploit"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php"
},
{
"name": "ExploitDB-48362",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48362"
},
{
"name": "Packet Storm Entry",
"tags": [
"exploit"
],
"url": "https://packetstormsecurity.com/files/156170/P5-FNIP-8x16A-FNIP-4xSH-1.0.20-CSRF-XSS.html"
},
{
"name": "IBM X-Force Vulnerability Report",
"tags": [
"third-party-advisory"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/176993"
},
{
"name": "P5 Vendor Homepage",
"tags": [
"product"
],
"url": "https://www.p5.hu/"
},
{
"name": "VulnCheck Advisory: P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 - Stored Cross-Site Scripting (XSS)",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/p-fnip-xafnip-xsh-stored-cross-site-scripting-xss"
}
],
"title": "P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 - Stored Cross-Site Scripting (XSS)",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37148",
"datePublished": "2026-02-05T16:14:54.874Z",
"dateReserved": "2026-02-03T16:27:45.309Z",
"dateUpdated": "2026-05-25T23:41:11.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}