PHOENIX CONTACT: Cross-site Scripting vulnerability in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices
CVE-2023-3526

9.6CRITICAL

Key Information:

Vendor: Phoenix Contact
Status: Cloud Client 1101t-tx/tx; Tc Cloud Client 1002-4g; Tc Cloud Client 1002-4g Att; Tc Cloud Client 1002-4g Vzw
Vendor: CVE Published:; 8 August 2023

Summary

An unauthenticated remote attacker could exploit a reflective XSS vulnerability present in the license viewer page of PHOENIX CONTACT's TC ROUTER and TC CLOUD CLIENT. This flaw allows the attacker to execute arbitrary code within the context of a victim's browser, potentially compromising user data and device functionality. The vulnerability affects versions prior to 2.07.2 of the TC ROUTER and TC CLOUD CLIENT, as well as version 2.06.10 of the CLOUD CLIENT 1101T-TX/TX. Users are advised to update their devices to mitigate the risks associated with this vulnerability.

Affected Version(s)

CLOUD CLIENT 1101T-TX/TX 0 < 2.06.10

TC CLOUD CLIENT 1002-4G 0 < 2.07.2

TC CLOUD CLIENT 1002-4G ATT 0 < 2.07.2

References

https://cert.vde.com/en/advisories/VDE-2023-017

http://seclists.org/fulldisclosure/2023/Aug/12

http://packetstormsecurity.com/files/174152/Phoenix-Conta...

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 8, 2023
Vulnerability Reserved
Jul 6, 2023