VDE-2023-029 | CERT@VDE

2023-08-17 14:00 (CEST) VDE-2023-029

Helmholz: Cross-site Scripting vulnerability in REX 200/REX 250

Share: Email | Twitter

ID

VDE-2023-029

Published

2023-08-17 14:00 (CEST)

Last update

2023-08-17 15:05 (CEST)

Vendor(s)

Helmholz GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	REX 200	< 7.3.2
	REX 250	< 7.3.2

Summary

A stored XXS vulnerability has been found in REX 200 and REX 250 in all versions before 7.3.2.

CVE ID

CVE-2023-34412

Last Update:

Aug. 30, 2024, 9:28 a.m.

Severity

4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Summary

A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker with high privileges to inject malicious HTML or JavaScript code (XSS).

Details

cert.vde.com

Impact

A remote, authenticated attacker can fully compromise the browser session of all users accessing the devices web interface.

Solution

Update to 7.3.2

Reported by

CERT@VDE coordinated with Helmholz.