cbcvebase.
CVE-2022-31798
published 2022-08-25

CVE-2022-31798: Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained…

PriorityP343medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.65%
93.0th percentile
Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account.

Affected

1 ranges
VendorProductVersion rangeFixed in
nortekcontrolemerge_e3_firmware<= 0.32-07p

Detection & IOCsextracted from sources · hover to see the quote

url/card_scan.php?No=0000&ReaderNo=0000&CardFormatNo=%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E
path/card_scan.php
cookiePHPSESSID
  • HTTP GET response body contains the string ',"CardFormatNo":""}' — indicates the vulnerable endpoint reflected the injected parameter, confirming the XSS sink.
  • Response must return HTTP 200 with Content-Type text/html for the XSS to be exploitable; use these as additional matcher conditions.
  • Shodan dork 'http.title:"eMerge"' or 'http.title:"linear emerge"' can be used to identify internet-exposed vulnerable devices.
  • FOFA dork 'title="emerge"' or 'title="linear emerge"' can be used to identify exposed instances.
  • Google dork 'intitle:"linear emerge"' or 'intitle:"emerge"' can surface publicly indexed vulnerable panels.
  • The attack chain requires chaining XSS in CardFormatNo parameter with session fixation via PHPSESSID cookie to achieve full account takeover of admin or lower-privileged users.
  • ·Vulnerability affects Nortek Linear eMerge E3-Series firmware version 0.32-07p specifically; detections should be scoped to this firmware version.
  • ·The XSS and session fixation must be chained together to achieve account takeover; XSS alone is insufficient for full exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.