CVE-2022-30694

Name of the Vulnerable Software and Affected Versions SIMATIC Drive Controller family versions prior to V3.2.19 SIMATIC ET 200S IM151-8 PN/DP CPU versions prior to V3.2.19 SIMATIC ET 200S IM151-8F PN/DP CPU versions prior to V3.2.19 SIMATIC ET 200pro IM154-8 PN/DP CPU versions prior to V3.2.19 SIMATIC ET 200pro IM154-8F PN/DP CPU versions prior to V3.2.19 SIMATIC ET 200pro IM154-8FX PN/DP CPU versions prior to V3.2.19 SIMATIC PC Station versions V2.1 and later SIMATIC S7-1200 CPU family versions prior to V3.2.19 SIMATIC S7-1500 CPU family versions prior to V3.2.19 SIMATIC S7-1500 Software Controller versions prior to V3.2.19 SIMATIC S7-300 CPU 314C-2 PN/DP versions prior to V3.3.19 SIMATIC S7-300 CPU 315-2 PN/DP versions prior to V3.2.19 SIMATIC S7-300 CPU 315F-2 PN/DP versions prior to V3.2.19 SIMATIC S7-300 CPU 315T-3 PN/DP versions prior to V3.2.19 SIMATIC S7-300 CPU 317-2 PN/DP versions prior to V3.2.19 SIMATIC S7-300 CPU 317F-2 PN/DP versions prior to V3.2.19 SIMATIC S7-300 CPU 317T-3 PN/DP versions prior to V3.2.19 SIMATIC S7-300 CPU 317TF-3 PN/DP versions prior to V3.2.19 SIMATIC S7-300 CPU 319-3 PN/DP versions prior to V3.2.19 SIMATIC S7-300 CPU 319F-3 PN/DP versions prior to V3.2.19 SIMATIC S7-400 PN/DP V6 CPU family versions prior to V3.2.19 SIMATIC S7-400 PN/DP V7 CPU family versions prior to V3.2.19 SIMATIC S7-PLCSIM Advanced versions prior to V3.2.19 SIMATIC WinCC Runtime Advanced versions prior to V3.2.19 SINUMERIK ONE versions prior to V3.2.19 SIPLUS ET 200S IM151-8 PN/DP CPU versions prior to V3.2.19 SIPLUS ET 200S IM151-8F PN/DP CPU versions prior to V3.2.19 SIPLUS S7-300 CPU 314C-2 PN/DP versions prior to V3.3.19 SIPLUS S7-300 CPU 315-2 PN/DP versions prior to V3.2.19 SIPLUS S7-300 CPU 315F-2 PN/DP versions prior to V3.2.19 SIPLUS S7-300 CPU 317-2 PN/DP versions prior to V3.2.19 SIPLUS S7-300 CPU 317F-2 PN/DP versions prior to V3.2.19

Description The login endpoint "/FormLogin" in affected web services does not apply proper origin checking. This could allow authenticated remote attackers to track the activities of other users via a login cross-site request forgery attack.

Recommendations For SIMATIC Drive Controller family versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC ET 200S IM151-8 PN/DP CPU versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC ET 200S IM151-8F PN/DP CPU versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC ET 200pro IM154-8 PN/DP CPU versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC ET 200pro IM154-8F PN/DP CPU versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC ET 200pro IM154-8FX PN/DP CPU versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC PC Station versions V2.1 and later, update to a version that includes the fix for this issue. For SIMATIC S7-1200 CPU family versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-1500 CPU family versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-1500 Software Controller versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-300 CPU 314C-2 PN/DP versions prior to V3.3.19, update to version V3.3.19 or later. For SIMATIC S7-300 CPU 315-2 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-300 CPU 315F-2 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-300 CPU 315T-3 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-300 CPU 317-2 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-300 CPU 317F-2 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-300 CPU 317T-3 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-300 CPU 317TF-3 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-300 CPU 319-3 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-300 CPU 319F-3 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-400 PN/DP V6 CPU family versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-400 PN/DP V7 CPU family versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC S7-PLCSIM Advanced versions prior to V3.2.19, update to version V3.2.19 or later. For SIMATIC WinCC Runtime Advanced versions prior to V3.2.19, update to version V3.2.19 or later. For SINUMERIK ONE versions prior to V3.2.19, update to version V3.2.19 or later. For SIPLUS ET 200S IM151-8 PN/DP CPU versions prior to V3.2.19, update to version V3.2.19 or later. For SIPLUS ET 200S IM151-8F PN/DP CPU versions prior to V3.2.19, update to version V3.2.19 or later. For SIPLUS S7-300 CPU 314C-2 PN/DP versions prior to V3.3.19, update to version V3.3.19 or later. For SIPLUS S7-300 CPU 315-2 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIPLUS S7-300 CPU 315F-2 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIPLUS S7-300 CPU 317-2 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. For SIPLUS S7-300 CPU 317F-2 PN/DP versions prior to V3.2.19, update to version V3.2.19 or later. As a temporary workaround, consider restricting access to the "/FormLogin" endpoint until a patch is available.