We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here
Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here
Complete your profile to access more resources. Update Here
Cross-reference search

PSIRT-124: TimePictra Stored Cross-Site Scripting

Vulnerability Details

Date of Disclosure: 02/24/2026

Affected Product: TimePictra® Web Application

  • Vulnerability Type: Stored Cross-Site Scripting
  • CVE Identifier: CVE-2026-3010
  • CVSS Score: 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
  • Vulnerability Description:
    •  The network element name parameter does not have input validation. This can be exploited to implement stored XSS attacks.
  • Affected Versions: 
    •  Software versions to 11.3 SP2
  • Vulnerability Status: 
    • To be addressed in a future version

Risk Assessment

Exploiting vulnerability could allow an attacker to gather application information (e.g. session id’s) from users who subsequently view the compromised data.

Mitigation

Control access to the web application

Patch/Release Information

Input validation of user supplied network element information may be addressed in a future release.

Acknowledgements

Reported by Steve Lin from Bastion Security

Recommendations

It is strongly recommended that all customers upgrade to the latest version.

Live Chat

Need Help?

Privacy Policy