7.1
CVE-2022-46670
- EPSS 0.02%
- Veröffentlicht 16.12.2022 21:15:09
- Zuletzt bearbeitet 21.11.2024 07:30:52
- Quelle PSIRT@rockwellautomation.com
- Teams Watchlist Login
- Unerledigt Login
Rockwell Automation was made aware of a vulnerability by a security researcher from Georgia Institute of Technology that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution. The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Rockwellautomation ≫ Micrologix 1400 Firmware Version-
Rockwellautomation ≫ Micrologix 1100 Firmware Version-
Rockwellautomation ≫ Micrologix 1400-b Firmware Version <= 21.007
Rockwellautomation ≫ Micrologix 1400-c Firmware Version <= 21.007
Rockwellautomation ≫ Micrologix 1400-a Firmware Version <= 7.000
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.035 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| PSIRT@rockwellautomation.com | 7.1 | 2.8 | 3.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.