Cross-Site Request Forgery in Siemens Desigo Products
CVE-2022-40179

8.1HIGH

Key Information:

Vendor: Siemens
Status: Desigo Pxm30-1; Desigo Pxm30.e; Desigo Pxm40-1; Desigo Pxm40.e
Vendor: CVE Published:; 11 October 2022

Summary

A vulnerability exists in Siemens Desigo products where a Cross-Site Request Forgery flaw allows remote attackers to execute arbitrary Axon queries without authentication. This occurs due to inadequate anti-CSRF token validation in the web application's operation endpoints. Attackers can trick users into clicking on malicious links or visiting crafted web pages while they are logged into the application, thereby compromising the device.

Affected Version(s)

Desigo PXM30-1 All versions < V02.20.126.11-41

Desigo PXM30.E All versions < V02.20.126.11-41

Desigo PXM40-1 All versions < V02.20.126.11-41

References

https://cert-portal.siemens.com/productcert/pdf/ssa-36078...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 11, 2022
Vulnerability Reserved
Sep 8, 2022