CVE-2018-13813

Name of the Vulnerable Software and Affected Versions SIMATIC HMI Comfort Panels 4" - 22" versions prior to V15 Update 4 SIMATIC HMI Comfort Outdoor Panels 7" & 15" versions prior to V15 Update 4 SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F versions prior to V15 Update 4 SIMATIC WinCC Runtime Advanced versions prior to V15 Update 4 SIMATIC WinCC Runtime Professional versions prior to V15 Update 4 SIMATIC WinCC (TIA Portal) versions prior to V15 Update 4 SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (all versions)

Description A security issue has been identified that allows the webserver of affected HMI devices to redirect URLs to untrusted websites. To exploit this, an attacker must trick an authenticated user into clicking a malicious link. At the time of publication, there were no known public exploits of this issue.

Recommendations For SIMATIC HMI Comfort Panels 4" - 22" versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC HMI Comfort Outdoor Panels 7" & 15" versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC WinCC Runtime Advanced versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC WinCC Runtime Professional versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC WinCC (TIA Portal) versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel), since all versions are affected and no specific update is mentioned, at the moment, there is no information about a newer version that contains a fix for this vulnerability.