R.V.R. Elettronica TLK302T Telemetry Controller Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the web management interface of the R.V.R. Elettronica TLK302T telemetry controller, specifically in firmware 1.5.1799. This vulnerability allows authenticated users to inject malicious JavaScript into the Alias field under Settings → Device. The injected script is stored and later executed without proper sanitization on device pages viewed by all users.

Impact

Exploitation of this vulnerability allows for session hijacking, privilege escalation through admin or operator sessions, and could lead to unauthorized device misconfiguration, rebooting, or firmware exfiltration. The compromise is persistent across all users who view the affected device page, posing a fleet-wide risk in environments with centrally managed broadcast or telemetry systems.

Reproduction

To reproduce this vulnerability, log in as an admin user and navigate to the Settings → Device menu. In the Alias field, enter a script payload, such as a JavaScript alert script, and save the changes. The injected script will be executed when any user, including other admins, views the device page.

Remediation

The vendor has acknowledged this vulnerability and users are advised to contact R.V.R. support for patched firmware. Additionally, it is recommended to apply HTML escaping and sanitization to the output of the Alias field, implement a Content Security Policy, and restrict access to the web interface through VPN or IP whitelisting.