GCVE - cpe:2.3:h:phoenixcontact:fl_switch_2207-fx:-:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:h:phoenixcontact:fl_switch_2207-fx:-:*:*:*:*:*:*:*

part: h version: - update: *

Vendor	Phoenixcontact (`ad43784c-598b-51b1-a640-9cd70ab4c265`)
Product	Fl Switch 2207 Fx (`e778b7dd-684c-5d12-a808-9e6bc6d14773`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-41752`	not_vulnerable	2026-06-03 15:01:16.027296	Reflected XSS vulnerability in pxc_portSfp.php HIGH (7.1) An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. Published: 2025-12-09T08:07:03.244Z Updated: 2025-12-09T16:02:03.650Z Open on db.gcve.eu Reference links https://certvde.com/en/advisories/VDE-2025-071/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41751`	not_vulnerable	2026-06-03 15:01:16.001316	Reflected XSS vulnerability in pxc_portCntr.php HIGH (7.1) An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. Published: 2025-12-09T08:07:36.534Z Updated: 2025-12-09T16:01:56.009Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41750`	not_vulnerable	2026-06-03 15:01:15.984482	Reflected XSS vulnerability in pxc_PortCfg.php HIGH (7.1) An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. Published: 2025-12-09T08:07:58.533Z Updated: 2025-12-09T16:01:50.217Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41749`	not_vulnerable	2026-06-03 15:01:15.971721	Reflected XSS vulnerability in port_util.php HIGH (7.1) An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. Published: 2025-12-09T08:08:36.195Z Updated: 2025-12-09T16:01:44.932Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41748`	not_vulnerable	2026-06-03 15:01:15.960949	Reflected XSS vulnerability in pxc_Dot1xCfg.php HIGH (7.1) An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. Published: 2025-12-09T08:09:01.251Z Updated: 2025-12-09T16:01:38.954Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41747`	not_vulnerable	2026-06-03 15:01:15.935908	Reflected XSS vulnerability in pxc_vlanIntfCfg.php HIGH (7.1) An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. Published: 2025-12-09T08:09:26.183Z Updated: 2025-12-09T16:01:33.796Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41746`	not_vulnerable	2026-06-03 15:01:15.925836	Reflected XSS vulnerability in pxc_portSecCfg.php HIGH (7.1) An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. Published: 2025-12-09T08:09:53.352Z Updated: 2025-12-09T16:01:26.683Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41745`	not_vulnerable	2026-06-03 15:01:15.904230	Reflected XSS vulnerability in pxc_portCntr2.php HIGH (7.1) An XSS vulnerability in pxc_portCntr2.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. Published: 2025-12-09T08:10:16.130Z Updated: 2025-12-09T16:01:21.121Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41697`	not_vulnerable	2026-06-03 15:01:15.477416	Shell access to UART Console MEDIUM (6.8) An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. with the credentials obtained from CVE-2025-41692. Published: 2025-12-09T08:12:16.507Z Updated: 2025-12-09T14:34:39.435Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41696`	not_vulnerable	2026-06-03 15:01:15.455899	Hardcoded User Password MEDIUM (4.6) An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device. Published: 2025-12-09T08:13:22.783Z Updated: 2025-12-09T14:33:00.553Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41695`	not_vulnerable	2026-06-03 15:01:15.430937	Reflected XSS vulnerability in dyn_conn.php HIGH (7.1) An XSS vulnerability in dyn_conn.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. Published: 2025-12-09T08:10:56.475Z Updated: 2025-12-09T14:35:21.972Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41694`	not_vulnerable	2026-06-03 15:01:15.403910	Authenticated Denial-of-Service via Webshell MEDIUM (6.5) A low privileged remote attacker can run the webshell with an empty command containing whitespace. The server will then block until it receives more data, resulting in a DoS condition of the websserver. Published: 2025-12-09T08:12:59.166Z Updated: 2025-12-09T14:33:23.571Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41693`	not_vulnerable	2026-06-03 15:01:15.395463	Authenticated Denial-of-Service via SSH MEDIUM (4.3) A low privileged remote attacker can use the ssh feature to execute commands directly after login. The process stays open and uses resources which leads to a reduced performance of the management functions. Switching functionality is not affected. Published: 2025-12-09T08:13:47.928Z Updated: 2025-12-09T14:32:35.761Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-41692`	not_vulnerable	2026-06-03 15:01:15.256577	Weak/Predictable root Password MEDIUM (6.8) A high privileged remote attacker with admin privileges for the webUI can brute-force the "root" and "user" passwords of the underlying OS due to a weak password generation algorithm. Published: 2025-12-09T08:12:40.947Z Updated: 2025-12-09T14:34:05.201Z Open on db.gcve.eu Reference links https://certvde.com/de/advisories/VDE-2025-071	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-22509`	not_vulnerable	2026-06-03 14:46:24.316690	db.gcve.eu returned HTTP 503. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.