CVE-2018-4842

Name of the Vulnerable Software and Affected Versions: SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) versions prior to V5.4.1 SCALANCE X-200RNA switch family versions prior to V3.2.7 SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) versions prior to V4.1.3

Description: A remote, authenticated attacker with access to the configuration web server could store script code on the web site if the HRP redundancy option is set, potentially leading to cross-site scripting (XSS) attacks. This could affect the confidentiality, integrity, and availability of the system. Successful exploitation requires user interaction, as the user needs to visit the manipulated web site. No public exploitation is known at the time of publishing this security advisory.

Recommendations: For SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) versions prior to V5.4.1, update to version V5.4.1 or later to resolve the issue. For SCALANCE X-200RNA switch family versions prior to V3.2.7, update to version V3.2.7 or later to resolve the issue. For SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) versions prior to V4.1.3, update to version V4.1.3 or later to resolve the issue. As a temporary workaround, consider disabling the HRP redundancy option until a patch is available. Restrict access to the configuration web server to minimize the risk of exploitation.