Ilevia EVE X1 Server Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Ilevia EVE X1 Server firmware versions through 4.7.18.0.eden. The issue resides in index.php, where input from the GET parameter 'error' is not properly sanitized. This vulnerability allows an unauthenticated attacker to execute arbitrary HTML or JavaScript in the context of the user's browser session on the affected site. Ilevia has chosen not to address this vulnerability and advises customers to keep port 8080 closed to external access.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's session.

Reproduction

To reproduce this vulnerability, send a request to the index.php page with a crafted 'error' parameter that includes unsanitized HTML or JavaScript. The injected code will be executed in the user's browser.

Remediation

Ilevia recommends not exposing port 8080 to the internet.