MEDIUM🇬🇧 English

CVE-2025-27852

CVSS 5.0pub. 2026-05-13upd. 2026-06-02

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is possible. To initiate an exploit of this vulnerability, the victim must execute two actions: (1) view a specific URL served by the WDU, and (2) click an element on the rendered page.

oryginał EN
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Garmin Empirbus Wireless Display Unit

    HW
    Garmin
    v1v2
  • Garmin Empirbus Wireless Display Unit Firmware

    OS
    Garmin
    1.4.65.00
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
XSS
CWE
Referencje

Powiązane podatności

CVE-2025-27851CRITICAL9.3PL ✓ten sam produkt

WebSocket Hijacking w Garmin WDU — przejęcie kontroli przez sieć

CVE-2025-27850HIGH7.5ten sam produkt

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious gr...

CVE-2025-27853HIGH7.3ten sam produkt

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. ...

CVE-2023-23298CRITICAL9.8ten sam vendor

The `Toybox.Graphics.BufferedBitmap.initialize` API method in CIQ API version 2.3.0 through 4.1.7 does not val...

CVE-2023-23300CRITICAL9.8ten sam vendor

The `Toybox.Cryptography.Cipher.initialize` API method in CIQ API version 3.0.0 through 4.1.7 does not validat...

CVE-2025-27852 — MEDIUM 5.0 | CVEbaza.pl