Back to overview

Pilz: Vulnerability in PASvisu and PMI v8xx

VDE-2023-050
Last update
04/10/2025 15:00
Published at
01/30/2024 08:00
Vendor(s)
Pilz GmbH & Co. KG
External ID
VDE-2023-050
CSAF Document
Download

Summary

Multiple Pilz products are affected by stored cross-site-scripting (XSS) vulnerabilities. The vulnerabilities may enable an attacker to gain full control over the system.

Update: 27.02.2024 Fix typo in advisory title

Impact

The vulnerabilities allow an attacker to inject malicious Javascript code into the system. With PASvisu
Builder in a worst-case scenario this can lead to execution of arbitrary code using the privileges of the
user running the affected software. With PASvisu Runtime (including PMI v8xx) in a worst-case
scenario this could have an impact on the controlled automation application.

Affected Product(s)

Model no. Product name Affected versions
266807, 266812, 266815 PILZ Hardware PMI v8xx PILZ Firmware PMI v8xx <=2.0.33992
PILZ Software PASvisu <1.14.1 PILZ Software PASvisu <1.14.1

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device.

References
cve.org | nvd.nist.gov

Mitigation

  • Only use project files from trustworthy sources.
  • Protect project files against modification by unauthorized users.
  • PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar
    measures. Use password protection on the online project.

Remediation

Install the fixed product version as soon as it is available. Please visit the Pilz eShop
(https://www.pilz.com/en-INT/eshop external link) to check for the fixed version

Revision History

Version Date Summary
1 01/30/2024 08:00 Initial revision.
2 02/27/2024 15:00 Updated Title.
3 11/06/2024 12:27 Fix: correct certvde domain, added self-reference
4 04/10/2025 15:00 fixed version operators