Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2024-55040 Product: Sensaphone Web600 Monitoring System Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected Areas: System settings, configuration files, and zone options Severity: Medium to Low Vulnerability Details 1. Stored XSS via Web600 Settings - Attackers can inject arbitrary JavaScript payloads into the name, description, and location fields within system settings. - Exploitation Method: Crafted GET requests to , placing payloads in the , , and parameters. 2. Stored XSS via Web600 Configuration Files - Attackers can inject arbitrary JavaScript payloads through the device configuration file options. - Exploitation Method: Crafted GET requests to , placing payloads in the parameter. 3. Stored XSS via Web600 Zones - Attackers can inject arbitrary JavaScript payloads through zone options. - Exploitation Method: Crafted GET requests to , placing payloads in the parameter. Disclosure Timeline September 23, 2023: Researcher submitted vulnerability disclosure report October 21, 2024: Vendor confirmed the vulnerability October 21, 2024 – November 4, 2024: Researcher inquired whether vendor planned to fix (no response) November 22, 2024: Researcher submitted CVE request to MITRE January 31, 2025: CVE-2024-55040 reserved by MITRE Impact and Risk Limited Impact: The vulnerability has limited severity but allows low-privileged users to steal session tokens, escalate privileges, and perform unauthorized modifications. Vendor Response: Vendor did not respond regarding patch release, noting that the product should be operated on private networks to reduce exploitation risk.