CVE-2023-25551

Name of the Vulnerable Software and Affected Versions StruxureWare Data Center Expert versions prior to 7.9.2

Description The issue is related to insufficient protection of the web page structure, allowing a remote attacker to conduct a cross-site scripting attack in the DCE file upload endpoint by tampering with parameters over HTTP. This is a case of improper neutralization of input during web page generation, also known as cross-site scripting.

Recommendations For versions prior to 7.9.2, consider disabling the file upload endpoint until a patch is available to prevent exploitation. Restrict access to the DCE file upload endpoint to minimize the risk of cross-site scripting attacks. Avoid using the endpoint for file uploads over HTTP until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.