VDE-2024-023
Last update
04/23/2024 10:00
Published at
04/23/2024 10:00
Vendor(s)
Welotec GmbH
External ID
VDE-2024-023
CSAF Document
Summary
Welotec has been informed by an external source that the WebUI of the device management solution "SMART EMS" and the remote connectivity solution "VPN Security Suite" is vulnerable to so-called "Clickjacking" and advises to update to version v3.1.4 or later.
Impact
Please see the CVE description.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| SMART EMS <3.1.4 | SMART EMS <3.1.4 | |
| VPN Security Suite <3.1.4 | VPN Security Suite <3.1.4 |
Vulnerabilities
Expand / Collapse all
Published
09/24/2025 12:42
Severity
Weakness
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
Summary
An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames.
References
Mitigation
This vulnerability can be mitigated with the use of an additional Reverse Proxy and / or Web Application Firewall protecting the WebUI.
Remediation
Update the software to version 3.1.4 or later and configure the Content Security Policy (CSP).
Acknowledgments
Welotec GmbH thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 04/23/2024 10:00 | Initial revision. |