VDE-2025-032 | CERT@VDE

2025-05-06 10:00 (CEST) VDE-2025-032

Wiesemann & Theis: Multiple W&T Products are vulnerable to cross-site-scripting

Share: Email | Twitter

ID

VDE-2025-032

Published

2025-05-06 10:00 (CEST)

Last update

2025-05-06 09:31 (CEST)

Vendor(s)

Wiesemann & Theis GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	ERP-Gateway 12x Digital Input, 6x Digital Relais	all
	ERP-Gateway 2x Digital Input, 2x Digital Output	all
	ERP-Gateway 2x Digital PoE	all
	Web-Alarm 6x6 DigitalWeb-Alarm 6x6 Digital	all
	Web-Count 6x Digital	< 3.79
	Web-Graph Air Quality	all
	Web-IO 12x Digital Input, 6x Digital Relais	all
	Web-IO 12x Digital Input, 6x Digital Relais	all
	Web-IO 12x Digital Input, 6x Digital Relais	all
	Web-IO Analog-In/Out 2x 0/4..20mA PoE	all
	Web-IO Digital 12xIn, 12xOut	all
	Web-IO Digital 12xIn, 12xOut	all
	Web-IO Digital 12xIn, 12xOut	< 4.08
	Web-IO Digital 12xIn, 12xOut, 1xRS232	all
	Web-IO Digital 12xIn, 12xOut, 1xRS232	all
	Web-IO Digital 2xIn, 2xOut	all
	Web-IO Digital 2xIn, 2xOut	all
	Web-IO Digital 2xIn, 2xOut	all
	Web-IO Digital Logger 6xIn, 6xOut	< 3.70
	Web-Thermograph 2x	all
	Web-Thermograph 8x	all
	Web-Thermograph NTC	all
	Web-Thermograph NTC PoE	all
	Web-Thermograph Pt100 / Pt1000	all
	Web-Thermograph Pt100 / Pt1000 PoE	all
	Web-Thermograph Relais	all
	Web-Thermo-Hygrobarograph	all
	Web-Thermo-Hygrograph	all

Summary

Multiple W&T Products are prone to an XSS attack. An authenticated remote Attacker can execute arbitrary web scripts or HTML via crafted payloads injected into several input fields of the configuration webpage.

CVE ID

CVE-2025-3020

Last Update:

6. Mai 2025 09:22

Severity

5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Summary

An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact.

Details

certvde.com

Impact

Multiple W&T Products are prone to an XSS attack. An authenticated remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into the title of the configuration webpage.

Solution

Remediation

All products are EoL. For the following products we strongly recommend upgrading the firmware:

Web-IO Digital Logger 6xIn upgrade to 3.84
Web-Count 6x Digital upgrade to 3.84
Web-IO Digital 12xIn/12xOut upgrade to 4.08

For the other products there will be no updates available.

Reported by

CERT@VDE coordinated with Wiesemann & Theis