Back to overview

Wiesemann & Theis: Multiple Vulnerabilities in the Com-Server Family

VDE-2022-043
Last update
11/07/2022 13:14
Published at
11/07/2022 12:43
Vendor(s)
Wiesemann & Theis GmbH
External ID
VDE-2022-043
CSAF Document
Download

Summary

Multiple Wiesemann & Theis product families are affected by multiple vulnerabilities in the web interface.

Impact

See CVEs for further details.

Affected Product(s)

Model no. Product name Affected versions
58666 AT-Modem-Emulator <1.48 AT-Modem-Emulator <1.48
58665 Com-Server ++ <1.48 Com-Server ++ <1.48
58664 Com-Server 20mA <1.48 Com-Server 20mA <1.48
58651 Com-Server Highspeed 100BaseFX <1.76 Com-Server Highspeed 100BaseFX <1.76
58652 Com-Server Highspeed 100BaseLX <1.76 Com-Server Highspeed 100BaseLX <1.76
58331 Com-Server Highspeed 19" 1Port <1.76 Com-Server Highspeed 19" 1Port <1.76
58334 Com-Server Highspeed 19" 4Port <1.76 Com-Server Highspeed 19" 4Port <1.76
58231 Com-Server Highspeed Compact <1.76 Com-Server Highspeed Compact <1.76
58631 Com-Server Highspeed Industry <1.76 Com-Server Highspeed Industry <1.76
58633 Com-Server Highspeed Isolated <1.76 Com-Server Highspeed Isolated <1.76
58431 Com-Server Highspeed OEM <1.76 Com-Server Highspeed OEM <1.76
58031 Com-Server Highspeed Office 1 Port <1.76 Com-Server Highspeed Office 1 Port <1.76
58034 Com-Server Highspeed Office 4 Port <1.76 Com-Server Highspeed Office 4 Port <1.76
58641 Com-Server Highspeed PoE <1.76 Com-Server Highspeed PoE <1.76
58661 Com-Server LC <1.48 Com-Server LC <1.48
58662 Com-Server PoE 3 x Isolated <1.48 Com-Server PoE 3 x Isolated <1.48
58669 Com-Server UL <1.48 Com-Server UL <1.48

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Small Space of Random Values (CWE-334)
Summary

Multiple W&T products of the Comserver Series use a small number space for allocating sessions ids. After login of an user an unathenticated remote attacker can brute force the users session id and get access to the his account on the the device.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Missing Authentication for Critical Function (CWE-306)
Summary

Multiple W&T products of the ComServer Series are prone to an authentication bypass. An unathenticated remote attacker, can log in without knowledge of the password by crafting a modified HTTP GET Request.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

Multiple W&T Products of the ComServer Series are prone to an XSS attack. An authenticated remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into the title of the configuration webpage.

References
cve.org | nvd.nist.gov

Remediation

  • Update Com-Server Family to version 1.48 or higher.

  • Update the Com-Server Highspeed Family to version 1.76 or higher.

Revision History

Version Date Summary
1 11/07/2022 13:14 Initial revision.