Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43687", "assignerOrgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5", "state": "PUBLISHED", "assignerShortName": "Microchip", "dateReserved": "2024-08-14T15:39:44.265Z", "datePublished": "2024-10-04T19:41:15.354Z", "dateUpdated": "2025-05-23T15:13:13.627Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["banner config"], "product": "TimeProvider 4100", "vendor": "Microchip", "versions": [{"lessThan": "2.4.7", "status": "affected", "version": "1.0", "versionType": "firmware"}, {"lessThan": "2.5", "status": "affected", "version": "2.4.16", "versionType": "firmware"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Armando Huesca Prida"}, {"lang": "en", "type": "finder", "value": "Marco Negro"}, {"lang": "en", "type": "finder", "value": "Antonio Carriero"}, {"lang": "en", "type": "finder", "value": "Vito Pistillo"}, {"lang": "en", "type": "finder", "value": "Davide Renna"}, {"lang": "en", "type": "finder", "value": "Manuel Leone"}, {"lang": "en", "type": "finder", "value": "Massimiliano Brolli"}, {"lang": "en", "type": "reporter", "value": "TIM Security Red Team Research"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimeProvider 4100 (banner config modules) allows Cross-Site Scripting (XSS).<p>This issue affects TimeProvider 4100: from 1.0 before 2.4.7.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimeProvider 4100 (banner config modules) allows Cross-Site Scripting (XSS).This issue affects TimeProvider 4100: from 1.0 before 2.4.7."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "PRESENT", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 7.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:P/AU:Y/R:U/V:D/U:Green", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5", "shortName": "Microchip", "dateUpdated": "2025-05-23T15:13:13.627Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner"}, {"tags": ["third-party-advisory"], "url": "https://www.gruppotim.it/it/footer/red-team.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Separate the access to the management port and the timing service ports into separate networks with appropriate access controls."}], "value": "Separate the access to the management port and the timing service ports into separate networks with appropriate access controls."}], "source": {"advisory": "PSIRT-84", "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2024-06-27T11:03:00.000Z", "value": "Reported"}], "title": "XSS vulnerability in bannerconfig endpoint in TimeProvider 4100", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "It\n is important to note that the web interface is only available on a \nphysically separate management port and these vulnerabilities have no \nimpact on the timing service ports. For added security, users have the \noption to disable the web interface, further protecting the device from \npotential web-based exploitation.<div><div>\n\n</div>\n\n \n\n</div>"}], "value": "It\n is important to note that the web interface is only available on a \nphysically separate management port and these vulnerabilities have no \nimpact on the timing service ports. For added security, users have the \noption to disable the web interface, further protecting the device from \npotential web-based exploitation."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-04T21:21:43.789883Z", "id": "CVE-2024-43687", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-04T22:16:09.913Z"}}]}}