Improper Input Neutralization in Desigo PXM and PXG Products by Siemens
CVE-2022-40178

5.4MEDIUM

Key Information:

Vendor: Siemens
Status: Desigo Pxm30-1; Desigo Pxm30.e; Desigo Pxm40-1; Desigo Pxm40.e
Vendor: CVE Published:; 11 October 2022

Summary

A vulnerability exists within Siemens Desigo products, specifically in the “Import Files” functionality of the “Operation” web application. This flaw stems from inadequate validation of file titles in the input package, allowing a low-privileged remote attacker to upload a specially crafted graphics package. This can lead to the execution of arbitrary JavaScript code on the affected system, potentially compromising its integrity.

Affected Version(s)

Desigo PXM30-1 All versions < V02.20.126.11-41

Desigo PXM30.E All versions < V02.20.126.11-41

Desigo PXM40-1 All versions < V02.20.126.11-41

References

https://cert-portal.siemens.com/productcert/pdf/ssa-36078...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 11, 2022
Vulnerability Reserved
Sep 8, 2022