CORS Misconfiguration in Siemens Web Interfaces
CVE-2023-46281

8.8HIGH

Key Information:

Vendor: Siemens
Status: Opcenter Execution Foundation; Opcenter Quality; Simatic Pcs Neo; Sinec Nms
Vendor: CVE Published:; 12 December 2023

Summary

A vulnerability exists in the web interfaces of several Siemens products, where an overly permissive CORS policy could allow an attacker to exploit this misconfiguration. By manipulating CORS settings, an attacker could deceive legitimate users into triggering unintended actions, which may compromise the security of the user's session or expose sensitive data.

Affected Version(s)

Opcenter Execution Foundation 0

Opcenter Quality 0

SIMATIC PCS neo 0

References

https://cert-portal.siemens.com/productcert/pdf/ssa-99958...

https://cert-portal.siemens.com/productcert/html/ssa-9995...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 12, 2023
Vulnerability Reserved
Oct 20, 2023