Cross-Site Request Forgery Vulnerability in Siemens Web Services
CVE-2022-30694

6.5MEDIUM

Key Information:

Vendor: Siemens
Status: Simatic Drive Controller Cpu 1504d Tf; Simatic Drive Controller Cpu 1507d Tf; Simatic Et 200pro Im154-8 Pn/dp Cpu; Simatic Et 200pro Im154-8f Pn/dp Cpu
Vendor: CVE Published:; 8 November 2022

Summary

An issue in the login endpoint of Siemens web services permits inadequate origin checking, allowing authenticated remote attackers to potentially exploit this weakness. By leveraging this vulnerability, attackers can orchestrate cross-site request forgery (CSRF) attacks, which could enable them to track the activities of legitimate users without their consent.

Affected Version(s)

SIMATIC Drive Controller CPU 1504D TF All versions < V2.9.7

SIMATIC Drive Controller CPU 1507D TF All versions < V2.9.7

SIMATIC ET 200pro IM154-8 PN/DP CPU All versions < V3.2.19

References

https://cert-portal.siemens.com/productcert/pdf/ssa-47896...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 8, 2022
Vulnerability Reserved
May 13, 2022