CVE-2026-28770

Medium CVSS: 5.3

Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible

Vendor

Datacast

Product

Sfx2100 Firmware

CWE

CWE-91

Yayın Tarihi

2026-03-04 07:16:14

Güncelleme

2026-03-09 18:23:14

Source Identifier

b7efe717-a805-47cf-8e9a-921fca0ce0ce

KEV Date Added

Kategoriler

CWE-91 Sfx2100 Firmware MEDIUM Datacast 2026

Referanslar

https://www.abdulmhsblog.com/posts/sfx2100-vulns/

Benzer Kayıtlar

High

CVE-2026-29128

IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g., zeb…

Critical

CVE-2026-29127

The IDC SFX2100 Satellite Receiver sets overly permissive file system permissions on the monitor user's home directory.…

High

CVE-2026-29122

International Data Casting (IDC) SFX2100 satellite receiver comes with the `/bin/date` utility installed with the setuid…

High

CVE-2026-29123

A SUID root-owned binary in /home/xd/terminal/XDTerminal in International Data Casting (IDC) SFX2100 on Linux allows a l…

High

CVE-2026-29124

Multiple SUID root-owned binaries are found in /home/monitor/terminal, /home/monitor/kore-terminal, /home/monitor/IDE-DP…

High

CVE-2026-29125

IDC SFX2100 Satalite Recievers set the `/etc/resolv.conf` file to be world-writable by any local user, allowing DNS reso…