MEDIUM🇵🇱 Wersja polska

CVE-2025-27852

CVSS 5.0pub. 2026-05-13upd. 2026-06-02

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is possible. To initiate an exploit of this vulnerability, the victim must execute two actions: (1) view a specific URL served by the WDU, and (2) click an element on the rendered page.

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Garmin Empirbus Wireless Display Unit

    HW
    Garmin
    v1v2
  • Garmin Empirbus Wireless Display Unit Firmware

    OS
    Garmin
    1.4.65.00
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2025-27851CRITICAL9.3PL ✓ten sam produkt

WebSocket Hijacking w Garmin WDU — przejęcie kontroli przez sieć

CVE-2025-27850HIGH7.5ten sam produkt

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious gr...

CVE-2025-27853HIGH7.3ten sam produkt

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. ...

CVE-2023-23298CRITICAL9.8ten sam vendor

The `Toybox.Graphics.BufferedBitmap.initialize` API method in CIQ API version 2.3.0 through 4.1.7 does not val...

CVE-2023-23300CRITICAL9.8ten sam vendor

The `Toybox.Cryptography.Cipher.initialize` API method in CIQ API version 3.0.0 through 4.1.7 does not validat...