CVE-2022-23127

Name of the Vulnerable Software and Affected Versions Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior ICONICS MobileHMI versions 10.96.2 and prior

Description A Cross-site Scripting issue allows a remote unauthenticated attacker to gain authentication information and perform any operation using the acquired authentication information. This is achieved by injecting a malicious script in the URL of a monitoring screen delivered from the server to an application for mobile devices, leading a legitimate user to access this URL.

Recommendations For Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior, consider disabling access to monitoring screens until a patch is available. For ICONICS MobileHMI versions 10.96.2 and prior, restrict the use of the affected URL parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.