Persistent Cross-Site Scripting in Climatix BACnet/IP and AWM Modules
CVE-2020-7575

6.1MEDIUM

Key Information:

Vendor: Siemens
Status: Climatix Pol908 (bacnet/ip Module); Climatix Pol909 (awm Module)
Vendor: CVE Published:; 14 April 2020

Summary

A persistent cross-site scripting vulnerability has been discovered in the web server access log page of Climatix POL908 and POL909 modules. This weakness could allow an attacker with network access to inject arbitrary JavaScript code through crafted GET requests. If exploited, this malicious code may later execute in the browser sessions of subsequent privileged users, leading to potential compromises of confidentiality and integrity. The affected products include all versions of Climatix POL908 and all versions of Climatix POL909 prior to V11.32.

Affected Version(s)

Climatix POL908 (BACnet/IP module) All versions

Climatix POL909 (AWM module) All versions < V11.32

References

https://cert-portal.siemens.com/productcert/pdf/ssa-88651...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 14, 2020
Vulnerability Reserved
Jan 21, 2020