CVE-2023-46281

Name of the Vulnerable Software and Affected Versions Opcenter Execution Foundation versions prior to V2407 Opcenter Quality versions prior to V2312 SIMATIC PCS neo versions prior to V4.1 SINEC NMS versions prior to V2.0 SP1 Totally Integrated Automation Portal (TIA Portal) V14 Totally Integrated Automation Portal (TIA Portal) V15.1 Totally Integrated Automation Portal (TIA Portal) V16 Totally Integrated Automation Portal (TIA Portal) V17 versions prior to V17 Update 8 Totally Integrated Automation Portal (TIA Portal) V18 versions prior to V18 Update 3 SINUMERIK Integrate RunMyHMI/Automotive (affected versions not specified)

Description The issue is related to the use of an untrusted cross-domain policy file in the UMC component of the affected products. This could allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability is due to an overly permissive CORS policy used by UMC when accessing the UMC Web-UI from affected products, which could allow an attacker to trick a legitimate user into triggering unwanted behavior.

Recommendations For Opcenter Execution Foundation versions prior to V2407, update to version V2407 or later. For Opcenter Quality versions prior to V2312, update to version V2312 or later. For SIMATIC PCS neo versions prior to V4.1, update to version V4.1 or later. For SINEC NMS versions prior to V2.0 SP1, update to version V2.0 SP1 or later. For Totally Integrated Automation Portal (TIA Portal) V14, consider disabling the UMC Web-UI as a temporary workaround. For Totally Integrated Automation Portal (TIA Portal) V15.1, consider disabling the UMC Web-UI as a temporary workaround. For Totally Integrated Automation Portal (TIA Portal) V16, consider disabling the UMC Web-UI as a temporary workaround. For Totally Integrated Automation Portal (TIA Portal) V17 versions prior to V17 Update 8, update to V17 Update 8 or later. For Totally Integrated Automation Portal (TIA Portal) V18 versions prior to V18 Update 3, update to V18 Update 3 or later. For SINUMERIK Integrate RunMyHMI/Automotive, at the moment, there is no information about a newer version that contains a fix for this vulnerability.