VDE-2023-027 | CERT@VDE

2023-08-07 11:35 (CEST) VDE-2023-027

AUMA: Reflected Cross-Site Scripting Vulnerability in SIMA Master Stations

Share: Email | Twitter

ID

VDE-2023-027

Published

2023-08-07 11:35 (CEST)

Last update

2023-08-07 11:35 (CEST)

Vendor(s)

AUMA Riester GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	SIMA² Master Station	all versions

Summary

A reflected cross-site scripting vulnerability exists in the System Diagnostics Manager (SDM) component of SIMA² Master Stations.

CVE ID

CVE-2022-4286

Last Update:

July 31, 2023, 3:47 p.m.

Severity

6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Summary

A reflected cross-site scripting (XSS) vulnerability exists in System Diagnostics Manager of B&R Automation Runtime versions >=3.00 and <=C4.93 that enables a remote attacker to execute arbitrary JavaScript in the context of the users browser session.

Details

nvd.nist.gov

Impact

Please consult the CVE details.

Solution

Mitigation

Do not use Hyperlinks provided by untrusted 3rd party to access the SIMA² System Diagnostics Manager. Hyperlinks may be provided via:
• Emails from unknown users
• Social media channels
• Messaging services
• Webpages with comment functionality
• QR Codes
The use of external Web Application Firewalls (WAF) can mitigate attacks using reflected cross-site scripting.

Remediation

none

Reported by

CERT@VDE coordinated with AUMA.