Legrand BTicino Driver Manager F454 1.0.51 CSRF and Stored XSS Vulnerabilities

Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through unvalidated GET parameters.

Problem type

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

BTicino S.p.A.

Legrand BTicino Driver Manager F454

1.0.51 - AFFECTED

1.1.14 - AFFECTED

References

ExploitDB-46850

https://www.exploit-db.com/exploits/46850

exploit

BTicino Official Product Homepage

https://www.bticino.com

product

Zero Science Lab Disclosure (ZSL-2019-5521)

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5521.php

third-party-advisory

Zero Science Lab Disclosure (ZSL-2019-5522)

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5522.php

third-party-advisory

GitHub Security Advisories

GHSA-6fff-m75x-hprm

Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow...

https://github.com/advisories/GHSA-6fff-m75x-hprm

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2019-25244

bticino.com

https://www.bticino.com

exploit-db.com

https://www.exploit-db.com/exploits/46850

zeroscience.mk

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5521.php

zeroscience.mk

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5522.php

github.com

https://github.com/advisories/GHSA-6fff-m75x-hprm

JSON source

https://cveawg.mitre.org/api/cve/CVE-2019-25244

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2019-25244",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2025-12-24T20:22:58.420Z",
    "dateReserved": "2025-12-24T14:27:12.476Z",
    "datePublished": "2025-12-24T19:27:59.384Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2025-12-24T19:27:59.384Z"
      },
      "datePublic": "2019-04-30T00:00:00.000Z",
      "title": "Legrand BTicino Driver Manager F454 1.0.51 CSRF and Stored XSS Vulnerabilities",
      "descriptions": [
        {
          "lang": "en",
          "value": "Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through unvalidated GET parameters."
        }
      ],
      "affected": [
        {
          "vendor": "BTicino S.p.A.",
          "product": "Legrand BTicino Driver Manager F454",
          "versions": [
            {
              "version": "1.0.51",
              "status": "affected"
            },
            {
              "version": "1.1.14",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/46850",
          "name": "ExploitDB-46850",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://www.bticino.com",
          "name": "BTicino Official Product Homepage",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5521.php",
          "name": "Zero Science Lab Disclosure (ZSL-2019-5521)",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5522.php",
          "name": "Zero Science Lab Disclosure (ZSL-2019-5522)",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-12-24T20:22:58.420Z"
        },
        "title": "CISA ADP Vulnrichment",
        "references": [
          {
            "url": "https://www.exploit-db.com/exploits/46850",
            "tags": [
              "exploit"
            ]
          },
          {
            "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5521.php",
            "tags": [
              "exploit"
            ]
          },
          {
            "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5522.php",
            "tags": [
              "exploit"
            ]
          }
        ],
        "metrics": [
          {}
        ]
      }
    ]
  }
}