CVE-2022-40178

Name of the Vulnerable Software and Affected Versions Desigo PXM30-1 versions prior to V02.20.126.11-41 Desigo PXM30.E versions prior to V02.20.126.11-41 Desigo PXM40-1 versions prior to V02.20.126.11-41 Desigo PXM40.E versions prior to V02.20.126.11-41 Desigo PXM50-1 versions prior to V02.20.126.11-41 Desigo PXM50.E versions prior to V02.20.126.11-41 PXG3.W100-1 versions prior to V02.20.126.11-37 PXG3.W100-2 versions prior to V02.20.126.11-41 PXG3.W200-1 versions prior to V02.20.126.11-37 PXG3.W200-2 versions prior to V02.20.126.11-41

Description A security issue exists due to improper neutralization of input during web page generation in the "Import Files" functionality of the "Operation" web application. This is caused by the missing validation of the titles of files included in the input package. By uploading a specifically crafted graphics package, a remote low-privileged attacker can execute arbitrary JavaScript code.

Recommendations For Desigo PXM30-1 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For Desigo PXM30.E versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For Desigo PXM40-1 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For Desigo PXM40.E versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For Desigo PXM50-1 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For Desigo PXM50.E versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For PXG3.W100-1 versions prior to V02.20.126.11-37, update to version V02.20.126.11-37 or later. For PXG3.W100-2 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For PXG3.W200-1 versions prior to V02.20.126.11-37, update to version V02.20.126.11-37 or later. For PXG3.W200-2 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. As a temporary workaround, consider restricting access to the "Import Files" functionality in the "Operation" web application until a patch is available.