Cross-Site Scripting Vulnerability in SIMATIC HMI Products by Siemens
CVE-2019-6577

5.4MEDIUM

Key Information:

Vendor
Siemens
Status
Simatic Hmi Comfort Panels 4" - 22"
Simatic Hmi Comfort Outdoor Panels 7" & 15"
Simatic Hmi Ktp Mobile Panels Ktp400f, Ktp700, Ktp700f, Ktp900 Und Ktp900f
Simatic Wincc Runtime Advanced
Vendor
CVE Published:
14 May 2019

Summary

A Cross-Site Scripting (XSS) vulnerability has been identified in various SIMATIC HMI products, which may allow an attacker with network access to exploit the integrated web server. If successful, this exploitation can compromise the confidentiality and integrity of the affected systems. The attack could be executed by manipulating specific configurations via SNMP, requiring user interaction and system privileges. As of now, there have been no known public exploits reported for this vulnerability. It is crucial for users of affected devices to implement security measures promptly.

Affected Version(s)

SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) All versions

SIMATIC HMI Comfort Outdoor Panels 7" & 15" All versions < V15.1 Update 1

SIMATIC HMI Comfort Panels 4" - 22" All versions < V15.1 Update 1

References

https://cert-portal.siemens.com/productcert/pdf/ssa-80448...
x_refsource_MISC
http://www.securityfocus.com/bid/108412
vdb-entryx_refsource_BID
https://www.us-cert.gov/ics/advisories/ICSA-19-134-09
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.