WAGO: Origin validation error through CORS misconfiguration
CVE-2022-45139

5.3MEDIUM

Key Information:

Vendor
Wago
Status
Compact Controller Cc100 (751-9301)
Edge Controller (752-8303/8000-002)
Pfc100 (750-81xx/xxx-xxx)
Pfc200 (750-82xx/xxx-xxx)
Vendor
CVE Published:
27 February 2023

Summary

A CORS Misconfiguration in the web-based management allows a malicious third party webserver to misuse all basic information pages on the webserver. In combination with CVE-2022-45138 this could lead to disclosure of device information like CPU diagnostics. As there is just a limited amount of information readable the impact only affects a small subset of confidentiality.

Affected Version(s)

Compact Controller CC100 (751-9301) FW16

Compact Controller CC100 (751-9301) FW23

Edge Controller (752-8303/8000-002) FW18

References

https://cert.vde.com/en/advisories/VDE-2022-060/

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ryan Pickren of Georgia Institute of Technologys Cyber-Physical Security Lab
.
CVE-2022-45139 : WAGO: Origin validation error through CORS misconfiguration | SecurityVulnerability.io