Share: Email | Twitter

ID

VDE-2024-023

Published

2024-04-23 10:00 (CEST)

Last update

2024-04-22 12:42 (CEST)

Vendor(s)

Welotec GmbH

Product(s)

Article No° Product Name Affected Version(s)
SMART EMS < 3.1.4
VPN Security Suite < 3.1.4

Summary

Welotec has been informed by an external source that the WebUI of the device management solution "SMART EMS" and the remote connectivity solution "VPN Security Suite" is vulnerable to so-called "Clickjacking" and advises to update to version v3.1.4 or later.


Last Update:

Aug. 30, 2024, 9:24 a.m.

Weakness

Improper Restriction of Rendered UI Layers or Frames  (CWE-1021) 

Summary

An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. 


Impact

Please see the CVE description. 

Solution

Mitigation

This vulnerability can be mitigated with the use of an additional Reverse Proxy and / or Web Application Firewall protecting the WebUI.

Remediation

Update the software to version 3.1.4 or later and configure the Content Security Policy (CSP).

Reported by

CERT@VDE coordinated with Welotec