This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A Cross-Site Scripting (XSS) flaw in Nortek Control Linear eMerge E3-Series. <br>π₯ **Consequences**: Attackers inject malicious scripts via the `type` parameter.β¦
π’ **Affected Product**: Nortek Control Linear eMerge E3-Series (Access Control Controller). <br>π¦ **Versions**: 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e.
Q4What can hackers do? (Privileges/Data)
π° **Attacker Actions**: Steal cookie-based authentication credentials. <br>π **Impact**: Launch further attacks within the context of the affected site.β¦
π’ **Public Exp?**: Yes. <br>π **PoC Available**: Proof-of-Concept code is available on GitHub (e.g., `amitlttwo/CVE-2022-46381`) and in Nuclei templates. Wild exploitation is possible if targets are exposed.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for the specific PHP file `badging/badge_template_v0.php`.β¦
π§ **Workaround**: If no patch is available, restrict network access to the eMerge E3-Series interface. <br>π« **Mitigation**: Implement WAF rules to block XSS payloads in the `type` parameter.β¦
π₯ **Urgency**: High. <br>π **Priority**: Critical for security teams managing access control systems. XSS can lead to full system compromise via credential theft. Patch immediately or isolate the device.