Summary
Multiple W&T devices are shipped with a jQuery version with a known XSS vulnerability.
Impact
Multiple W&T Products are prone to an XSS attack. An autenticated remote attacker can execute arbitrary web scripts or HTML via crafted payload injected into fields on the configuration webpage.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 50543 | FTP Data Station 3 | Firmware <1.29 |
| 50504 | Motherbox 3 | Firmware <1.48 |
| 53642 | USB-Server Industry Isochron | Firmware <2.21 |
| 50518 | pure.box 3 | Firmware <1.83 |
| 50520 | pure.box 3 Serial | Firmware <1.83 |
| 50521 | pure.box 3 Serial / USB | Firmware <1.83 |
| 50519 | pure.box 3 USB | Firmware <1.83 |
Vulnerabilities
Expand / Collapse alljQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Remediation
Update the affected devices to the firmware listed below.
Acknowledgments
Wiesemann & Theis GmbH thanks the following parties for their efforts:
- CERTVDE for Coordination (see https://certvde.com/en/ )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 05/13/2025 12:00 | Initial revision |