Persistent XSS Vulnerability in Climatix BACnet/IP and AWM Modules by Siemens
CVE-2020-7574

6.1MEDIUM

Key Information:

Vendor: Siemens
Status: Climatix Pol908 (bacnet/ip Module); Climatix Pol909 (awm Module)
Vendor: CVE Published:; 14 April 2020

What is CVE-2020-7574?

A persistent cross-site scripting (XSS) vulnerability has been identified in the web interface of Climatix POL908 and POL909 modules. This vulnerability allows attackers with network access to inject arbitrary JavaScript code, which can be executed by another user at a later point, potentially jeopardizing the confidentiality and integrity of their web session. Users are urged to apply the necessary patches and updates to safeguard their systems against this malicious exploitation.

Affected Version(s)

Climatix POL908 (BACnet/IP module) All versions

Climatix POL909 (AWM module) All versions < V11.32

References

https://cert-portal.siemens.com/productcert/pdf/ssa-88651...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2020
Vulnerability Reserved
Jan 21, 2020