Share: Email | Twitter

ID

VDE-2023-029

Published

2023-08-17 14:00 (CEST)

Last update

2023-08-17 15:05 (CEST)

Vendor(s)

Helmholz GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
REX 200 < 7.3.2
REX 250 < 7.3.2

Summary

A stored XXS vulnerability has been found in REX 200 and REX 250 in all versions before 7.3.2.


Last Update:

Aug. 30, 2024, 9:28 a.m.

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')  (CWE-79) 

Summary

A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker with high privileges to inject malicious HTML or JavaScript code (XSS).


Impact

A remote, authenticated attacker can fully compromise the browser session of all users accessing the devices web interface.

Solution

Update to 7.3.2

Reported by

CERT@VDE coordinated with Helmholz.