Share: Email | Twitter

ID

VDE-2023-050

Published

2024-01-30 08:00 (CET)

Last update

2024-02-27 14:59 (CET)

Vendor(s)

Pilz GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
PASvisu < 1.14.1
266807, 266812, 266815 PMI v8xx <= 2.0.33992

Summary

Multiple Pilz products are affected by stored cross-site-scripting (XSS) vulnerabilities. The
vulnerabilities may enable an attacker to gain full control over the system.

Update: 27.02.2024 Fix typo in advisory title

Vulnerabilities



Last Update
29. Januar 2024 15:44
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.

Last Update
29. Januar 2024 15:44
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device.

Impact

The vulnerabilities allow an attacker to inject malicious Javascript code into the system. With PASvisu
Builder in a worst-case scenario this can lead to execution of arbitrary code using the privileges of the
user running the affected software. With PASvisu Runtime (including PMI v8xx) in a worst-case
scenario this could have an impact on the controlled automation application.

Solution

Mitigation

 Only use project files from trustworthy sources.
• Protect project files against modification by unauthorized users.
• PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar
measures. Use password protection on the online project.

Remediation

• Install the fixed product version as soon as it is available. Please visit the Pilz eShop
(https://www.pilz.com/en-INT/eshop) to check for the fixed version

Reported by

CERT@VDE coordinated with Pilz