PT-2022-25261 · Siemens · Pxg3.W100-2+9
Published
2022-10-11
·
Updated
2022-10-12
·
CVE-2022-40180
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Desigo PXM30-1 versions prior to V02.20.126.11-41
Desigo PXM30.E versions prior to V02.20.126.11-41
Desigo PXM40-1 versions prior to V02.20.126.11-41
Desigo PXM40.E versions prior to V02.20.126.11-41
Desigo PXM50-1 versions prior to V02.20.126.11-41
Desigo PXM50.E versions prior to V02.20.126.11-41
PXG3.W100-1 versions prior to V02.20.126.11-37
PXG3.W100-2 versions prior to V02.20.126.11-41
PXG3.W200-1 versions prior to V02.20.126.11-37
PXG3.W200-2 versions prior to V02.20.126.11-41
Description
A Cross-Site Request Forgery exists in the "Import Files" functionality of the "Operation" web application due to the missing validation of anti-CSRF tokens or other origin checks. A remote unauthenticated attacker can upload and enable permanent arbitrary JavaScript code into the device just by convincing a victim to visit a specifically crafted webpage while logged-in to the device web application.
Recommendations
For Desigo PXM30-1 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later.
For Desigo PXM30.E versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later.
For Desigo PXM40-1 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later.
For Desigo PXM40.E versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later.
For Desigo PXM50-1 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later.
For Desigo PXM50.E versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later.
For PXG3.W100-1 versions prior to V02.20.126.11-37, update to version V02.20.126.11-37 or later.
For PXG3.W100-2 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later.
For PXG3.W200-1 versions prior to V02.20.126.11-37, update to version V02.20.126.11-37 or later.
For PXG3.W200-2 versions prior to V02.20.126.11-41, update to version V02.20.126.11-41 or later.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Desigo Pxm30-1
Desigo Pxm30.E
Desigo Pxm40-1
Desigo Pxm40.E
Desigo Pxm50-1
Desigo Pxm50.E
Pxg3.W100-1
Pxg3.W100-2
Pxg3.W200-1
Pxg3.W200-2