CVE-2022-42974

Name of the Vulnerable Software and Affected Versions Kostal PIKO 1.5-1 MP plus HMI OEM p version 1.0.1

Description The web application for the Solar Panel is vulnerable to a Stored Cross-Site Scripting (XSS) attack on the API endpoint "/file.bootloader.upload.html". The application fails to sanitize the parameter filename in a POST request to "/file.bootloader.upload.html" for a system update, thus allowing one to inject HTML and/or JavaScript on the page that will then be processed and stored by the application. Any subsequent requests to pages that retrieve the malicious content will automatically exploit the issue on the victim's browser. This also happens because the tag is loaded in the function innerHTML in the page HTML.

Recommendations As a temporary workaround, consider disabling the innerHTML function in the page HTML until a patch is available. Restrict access to the "/file.bootloader.upload.html" API endpoint to minimize the risk of exploitation. Avoid using the parameter filename in the affected API endpoint until the issue is resolved.