Injection Flaw in SIMATIC WinCC OA from Siemens
CVE-2022-44731

5.4MEDIUM

Key Information:

Vendor: Siemens
Status: Simatic Wincc Oa V3.15; Simatic Wincc Oa V3.16; Simatic Wincc Oa V3.17; Simatic Wincc Oa V3.18
Vendor: CVE Published:; 13 December 2022

Summary

A critical vulnerability has been detected in various versions of Siemens' SIMATIC WinCC OA. This flaw permits authenticated remote attackers to inject custom arguments into the Ultralight Client backend application through the web interface. If exploited, it can allow attackers to manipulate application behavior, including opening unauthorized panels or initiating scripts with the attacker's credentials, posing serious risks to operational integrity and data security.

Affected Version(s)

SIMATIC WinCC OA V3.15 All versions < V3.15 P038

SIMATIC WinCC OA V3.16 All versions < V3.16 P035

SIMATIC WinCC OA V3.17 All versions < V3.17 P024

References

https://cert-portal.siemens.com/productcert/pdf/ssa-54771...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 13, 2022
Vulnerability Reserved
Nov 4, 2022