CVE-2025-41746 — Cross-site Scripting in Contact FL NAT 2008
Severity
7.1HIGHNVD
EPSS
0.2%
top 58.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 9
Latest updateDec 18
Description
An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cook…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.7
Affected Packages138 packages
🔴Vulnerability Details
2🔍Detection Rules
1Suricata▶
ET WEB_SPECIFIC_APPS Phoenix Contact pxc_portSecCfg.php portSelect Parameter Cross Site Scripting Attempt (CVE-2025-41746)↗2025-12-18