CVE-2025-52378

Cross-Site Scripting (XSS) vulnerability in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below allowing attackers to inject JavaScript code that is executed in the context of administrator sessions when viewing the device management page via the DEVICE_ALIAS parameter to the /web/um_device_set_aliasname endpoint.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Vagebondcur/nexxt-solutions-NCM-X1800-exploits
https://github.com/Vagebondcur/nexxt-solutions-NCM-X1800-exploits/blob/main/CVE-2025-52378/writeup.md

Configurations

No configuration.

History

15 Jul 2025, 20:07

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-15 15:15

Updated : 2025-07-15 20:07

NVD link : CVE-2025-52378

Mitre link : CVE-2025-52378

CVE.ORG link : CVE-2025-52378

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10