CVE-2019-6577

Name of the Vulnerable Software and Affected Versions SIMATIC HMI Comfort Panels 4" - 22" versions prior to V15.1 Update 1 SIMATIC HMI Comfort Outdoor Panels 7" & 15" versions prior to V15.1 Update 1 SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900, and KTP900F versions prior to V15.1 Update 1 SIMATIC WinCC Runtime Advanced versions prior to V15.1 Update 1 SIMATIC WinCC Runtime Professional versions prior to V15.1 Update 1 SIMATIC WinCC (TIA Portal) versions prior to V15.1 Update 1 SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (affected versions not specified)

Description The integrated web server in the affected devices could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify particular parts of the device configuration via SNMP. The issue could be exploited by an attacker with network access to the affected system, requiring system privileges and user interaction. Successful exploitation could compromise confidentiality and the integrity of the affected system. No public exploitation is known at the time of publishing this security advisory.

Recommendations For SIMATIC HMI Comfort Panels 4" - 22" versions prior to V15.1 Update 1, update to V15.1 Update 1 or later. For SIMATIC HMI Comfort Outdoor Panels 7" & 15" versions prior to V15.1 Update 1, update to V15.1 Update 1 or later. For SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900, and KTP900F versions prior to V15.1 Update 1, update to V15.1 Update 1 or later. For SIMATIC WinCC Runtime Advanced versions prior to V15.1 Update 1, update to V15.1 Update 1 or later. For SIMATIC WinCC Runtime Professional versions prior to V15.1 Update 1, update to V15.1 Update 1 or later. For SIMATIC WinCC (TIA Portal) versions prior to V15.1 Update 1, update to V15.1 Update 1 or later. For SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel), at the moment, there is no information about a newer version that contains a fix for this vulnerability.