Cross-Site Request Forgery Vulnerability in Siemens Desigo PXM and PXG Series
CVE-2022-40180

5.3MEDIUM

Key Information:

Vendor
Siemens
Vendor
CVE Published:
11 October 2022

Summary

A vulnerability has been found in Siemens Desigo PXM and PXG Series products, specifically in the 'Import Files' function of the 'Operation' web application. It stems from an absence of sufficient validation for anti-CSRF tokens. This flaw allows a remote, unauthenticated attacker to exploit the vulnerability by enticing a user to visit a malicious webpage while logged into the web application. Consequently, the attacker can upload and activate arbitrary JavaScript code on the device, potentially leading to unauthorized actions and compromise of the system.

Affected Version(s)

Desigo PXM30-1 All versions < V02.20.126.11-41

Desigo PXM30.E All versions < V02.20.126.11-41

Desigo PXM40-1 All versions < V02.20.126.11-41

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.