CVE-2022-40179

Name of the Vulnerable Software and Affected Versions Desigo PXM30-1 versions prior to V02.20.126.11-41 Desigo PXM30.E versions prior to V02.20.126.11-41 Desigo PXM40-1 versions prior to V02.20.126.11-41 Desigo PXM40.E versions prior to V02.20.126.11-41 Desigo PXM50-1 versions prior to V02.20.126.11-41 Desigo PXM50.E versions prior to V02.20.126.11-41 PXG3.W100-1 versions prior to V02.20.126.11-37 PXG3.W100-2 versions prior to V02.20.126.11-41 PXG3.W200-1 versions prior to V02.20.126.11-37 PXG3.W200-2 versions prior to V02.20.126.11-41

Description A Cross-Site Request Forgery issue exists in the "Operation" web application due to the missing validation of anti-CSRF tokens or other origin checks, allowing a remote unauthenticated attacker to execute arbitrary Axon queries against the device by convincing a victim to click on a malicious link or visit a specifically crafted webpage while logged-in to the device web application.

Recommendations For Desigo PXM30-1 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For Desigo PXM30.E versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For Desigo PXM40-1 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For Desigo PXM40.E versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For Desigo PXM50-1 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For Desigo PXM50.E versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For PXG3.W100-1 versions prior to V02.20.126.11-37, update to version V02.20.126.11-37 or later. For PXG3.W100-2 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later. For PXG3.W200-1 versions prior to V02.20.126.11-37, update to version V02.20.126.11-37 or later. For PXG3.W200-2 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later.