CVE-2022-40178

EPSS 0.2%
Published 11.10.2022 11:15:10
Last modified 21.11.2024 07:21:00
Source productcert@siemens.com
Teams watchlist Login
Open Login

A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). Improper Neutralization of Input During Web Page Generation exists in the “Import Files“ functionality of the “Operation” web application, due to the missing validation of the titles of files included in the input package. By uploading a specifically crafted graphics package, a remote low-privileged attacker can execute arbitrary JavaScript code.

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Siemens ≫ Desigo Pxm30-1 Firmware Version < 02.20.126.11-41

Siemens ≫ Desigo Pxm30-1 Version-

Siemens ≫ Desigo Pxm30.E Firmware Version < 02.20.126.11-41

Siemens ≫ Desigo Pxm30.E Version-

Siemens ≫ Desigo Pxm40-1 Firmware Version < 02.20.126.11-41

Siemens ≫ Desigo Pxm40-1 Version-

Siemens ≫ Desigo Pxm40.E Firmware Version < 02.20.126.11-41

Siemens ≫ Desigo Pxm40.E Version-

Siemens ≫ Desigo Pxm50-1 Firmware Version < 02.20.126.11-41

Siemens ≫ Desigo Pxm50-1 Version-

Siemens ≫ Desigo Pxm50.E Firmware Version < 02.20.126.11-41

Siemens ≫ Desigo Pxm50.E Version-

Siemens ≫ Pxg3.W100-1 Firmware Version < 02.20.126.11-37

Siemens ≫ Pxg3.W100-1 Version-

Siemens ≫ Pxg3.W100-2 Firmware Version < 02.20.126.11-41

Siemens ≫ Pxg3.W100-2 Version-

Siemens ≫ Pxg3.W200-1 Firmware Version < 02.20.126.11-37

Siemens ≫ Pxg3.W200-1 Version-

Siemens ≫ Pxg3.W200-2 Firmware Version < 02.20.126.11-41

Siemens ≫ Pxg3.W200-2 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.2%	0.423

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://cert-portal.siemens.com/productcert/pdf/ssa-360783.pdf

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-40178

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-40178

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-40178

EUVD