CVE-2025-57202
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk36th percentile - higher than 36% of all known CVEs
Summary
A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH DGM1104 allows attackers to inject malicious JavaScript or HTML into the username field. Successful exploitation enables arbitrary script execution in the victim's browser context.
Risk Assessment
An attacker can hijack an administrator session, steal credentials, or redirect users to malicious sites, compromising system confidentiality and integrity.
Recommendation
Immediately update the device firmware to the latest version and implement input validation and output encoding for all form fields, especially the username field.
Original NVD description (English source)
A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the username field.

