Cross-Site Scripting Vulnerability in Siemens SCALANCE X and SIPLUS NET Switches
CVE-2018-4848

6.1MEDIUM

Key Information:

Vendor: Siemens
Status: Scalance X-200 Switch Family (incl. Siplus Net Variants); Scalance X-200irt Switch Family (incl. Siplus Net Variants); Scalance X-200rna Switch Family; Scalance X-300 Switch Family (incl. X408 And Siplus Net Variants)
Vendor: CVE Published:; 14 June 2018

Summary

A Cross-Site Scripting vulnerability exists in select SCALANCE X and SIPLUS NET switch families, allowing attackers to execute scripts in the browsers of users who are deceived into visiting malicious links. The integrated web server of affected devices could be exploited, but user interaction is required for successful exploitation, as the user must be logged into the web interface. At present, there are no known public exploits for this vulnerability, but Siemens has acknowledged the issue and is providing mitigation strategies.

Affected Version(s)

SCALANCE X-200 switch family (incl. SIPLUS NET variants) All versions < V5.2.3

SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) All versions < V5.4.1

SCALANCE X-200RNA switch family All versions < V3.2.7

References

http://www.securityfocus.com/bid/104494

vdb-entry

https://cert-portal.siemens.com/productcert/pdf/ssa-48082...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 14, 2018
Vulnerability Reserved
Jan 2, 2018