CVE-2020-7575

6.1MEDIUM

Key Information:

Vendor: Siemens
Status: Climatix Pol908 (bacnet/ip Module); Climatix Pol909 (awm Module)
Vendor: CVE Published:; 14 April 2020

Summary

A vulnerability has been identified in Climatix POL908 (BACnet/IP module) (All versions), Climatix POL909 (AWM module) (All versions < V11.32). A persistent cross-site scripting (XSS) vulnerability exists in the web server access log page of the affected devices that could allow an attacker to inject arbitrary JavaScript code via specially crafted GET requests. The code could be potentially executed later by another (privileged) user. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires no system privileges. An attacker could use the vulnerability to compromise the confidentiality and integrity of other users' web sessions.

Affected Version(s)

Climatix POL908 (BACnet/IP module) All versions

Climatix POL909 (AWM module) All versions < V11.32

References

https://cert-portal.siemens.com/productcert/pdf/ssa-88651...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 14, 2020
Vulnerability Reserved
Jan 21, 2020