Back to overview

Weidmueller: Multiple IoT and control products affected by JavaScript injection vulnerability

VDE-2022-056
Last update
12/14/2022 08:00
Published at
12/14/2022 08:00
Vendor(s)
Weidmueller Interface GmbH & Co. KG
External ID
VDE-2022-056
CSAF Document
Download

Summary

A JavaScript injection vulnerability has been discovered in the XML editing system SCHEMA ST4 onlinehelp by Quanos Solutions GmbH. For details refer to CVE.This vulnerability may allow an attacker to inject JavaScript code via URL to the affected products

Impact

This vulnerability may allow an attacker to inject JavaScript code via URL to the affected products.
As the affected products require authentication, exploiting this vulnerability would require an attacker to trick a logged in user into executing a malicious link.
Exploitation of this vulnerability may e.g. result in DoS of affected products or gaining access to sensitive information or gaining administrative access.

Affected Product(s)

Model no. Product name Affected versions
8000075041 19 IOT MD01 LAN H4 S0011 (contains IoT-GW30) Firmware vers:all/*
8000058270 FP IOT MD01 4EU S2 00000 (contains IoT-GW30-4G-EU) Firmware vers:all/*
8000058603 FP IOT MD01 LAN S2 00000 (contains IoT-GW30) Firmware vers:all/*
8000055224 FP IOT MD01 LAN S2 S0011 (contains IoT-GW30) Firmware vers:all/*
8000058282 FP IOT MD02 4EU S3 00000 (contains IoT-GW30-4G-EU) Firmware vers:all/*
2682620000 IoT-GW30 Firmware <=1.16.0
2682630000 IoT-GW30-4G-EU Firmware <=1.16.0
1334950000 UC20-WL2000-AC Firmware <=1.16.0
1334990000 UC20-WL2000-IOT Firmware <=1.16.0

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

Quanos "SCHEMA ST4" example web templates in version Bootstrap 2019 v2/2021 v1/2022 v1/2022 SP1 v1 or below are prone to JavaScript injection allowing a remote attacker to hijack existing sessions to e.g. other web services in the same environment or execute scripts in the users browser environment. The affected script is '*-schema.js'.

References
cve.org | nvd.nist.gov

Mitigation

If the remediation cannot be implemented in a timely manner, Weidmueller strongly recommends that the authenticated user logged in to the product does not click on links from external sources.

Remediation

Weidmueller strongly recommends customers to install a patched firmware which fixes this vulnerability.
The fixed firmware for each affected product with at least version 1.17.0 can be obtained from weidmueller.com.

Revision History

Version Date Summary
1 12/14/2022 08:00 Initial revision.