Back to overview

Wiesemann & Theis: Multiple W&T Products are vulnerable to cross-site-scripting

VDE-2025-032
Last update
05/06/2025 12:00
Published at
05/06/2025 12:00
Vendor(s)
Wiesemann & Theis GmbH
External ID
VDE-2025-032
CSAF Document

Summary

Multiple W&T Products are prone to an XSS attack. An authenticated remote Attacker can execute arbitrary web scripts or HTML via crafted payloads injected into several input fields of the configuration webpage.

Impact

Multiple W&T Products are prone to an XSS attack. An authenticated remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into the title of the configuration webpage.

Affected Product(s)

Model no. Product name Affected versions
57636 ERP-Gateway 12x Digital Input, 6x Digital Relais Firmware vers:all/*
57635 ERP-Gateway 2x Digital Input, 2x Digital Output Firmware vers:all/*
57638 ERP-Gateway 2x Digital PoE Firmware vers:all/*
57651 Web-Alarm 6x6 DigitalWeb-Alarm 6x6 Digital Firmware vers:all/*
57652 Web-Count 6x Digital Firmware <3.79
57618 Web-Graph Air Quality Firmware vers:all/*
57634M Web-IO 12x Digital Input, 6x Digital Relais Firmware vers:all/*
57634 Web-IO 12x Digital Input, 6x Digital Relais Firmware vers:all/*
57634N Web-IO 12x Digital Input, 6x Digital Relais Firmware vers:all/*
57661 Web-IO Analog-In/Out 0/4..20mA PoE Firmware vers:all/*
57662 Web-IO Analog-In/Out 2x 0..10V PoE Firmware vers:all/*
57630N Web-IO Digital 12xIn, 12xOut Firmware <4.08
57630M Web-IO Digital 12xIn, 12xOut Firmware vers:all/*
57630 Web-IO Digital 12xIn, 12xOut Firmware vers:all/*
57631M Web-IO Digital 12xIn, 12xOut, 1xRS232 Firmware vers:all/*
57631 Web-IO Digital 12xIn, 12xOut, 1xRS232 Firmware vers:all/*
57637 Web-IO Digital 2xIn, 2xOut Firmware vers:all/*
57633 Web-IO Digital 2xIn, 2xOut Firmware vers:all/*
57637N Web-IO Digital 2xIn, 2xOut Firmware vers:all/*
57650 Web-IO Digital Logger 6xIn, 6xOut Firmware <3.70
57613 Web-Thermo-Hygrobarograph Firmware vers:all/*
57620 Web-Thermo-Hygrograph Firmware vers:all/*
57607 Web-Thermograph 2x Firmware vers:all/*
57608 Web-Thermograph 8x Firmware vers:all/*
57609 Web-Thermograph NTC Firmware vers:all/*
57614 Web-Thermograph NTC PoE Firmware vers:all/*
57610 Web-Thermograph Pt100 Firmware vers:all/*
57615 Web-Thermograph Pt100 / Pt1000 PoE Firmware vers:all/*
57616 Web-Thermograph Relais Firmware vers:all/*

Vulnerabilities

Expand / Collapse all

Published
09/24/2025 12:42
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact.

References

Remediation

All products are EoL.
For the following products we strongly recommend upgrading the firmware:
* Web-IO Digital Logger 6xIn upgrade to 3.84
* Web-Count 6x Digital upgrade to 3.84
* Web-IO Digital 12xIn/12xOut upgrade to 4.08

For the other products there will be no updates available.

Acknowledgments

Wiesemann & Theis GmbH thanks the following parties for their efforts:

Revision History

Version Date Summary
1 05/06/2025 12:00 Initial revision