{
  "schema_version": "1.4.0",
  "id": "GHSA-w338-c5qq-hv3p",
  "modified": "2022-05-24T19:08:27Z",
  "published": "2022-05-24T19:08:27Z",
  "aliases": [
    "CVE-2020-25205"
  ],
  "details": "The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 is vulnerable to stored XSS in the set_banner() function of /var/www/core/controller/index.php. An unauthenticated attacker may set the contents of the /mnt/jffs2/banner.txt file, stored on the device's filesystem, to contain arbitrary JavaScript. The file contents are then used as part of a welcome/banner message presented to unauthenticated users who visit the login page for the web console. This vulnerability does not occur in the older 1.5.x firmware versions.",
  "severity": [],
  "affected": [],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25205"
    },
    {
      "type": "WEB",
      "url": "https://labs.f-secure.com/advisories"
    },
    {
      "type": "WEB",
      "url": "https://labs.f-secure.com/advisories/mimosa-ptp-devices-multiple-vulnerabilities"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-20T19:15:00Z"
  }
}