Attackers Can Redirect Users to Malicious URLs via Insecure Input Validation

CVE-2024-46886

4.7MEDIUM

Key Information

Vendor
Siemens
Status
Simatic Drive Controller Cpu 1504d Tf
Simatic Drive Controller Cpu 1507d Tf
Simatic Et 200sp Open Controller Cpu 1515sp Pc2 (incl. Siplus Variants)
Simatic S7-1200 Cpu 1211c Ac/dc/rly
Vendor
CVE Published:
8 October 2024

Summary

The web server of affected devices does not properly validate input that is used for a user redirection. This could allow an attacker to make the server redirect the legitimate user to an attacker-chosen URL. For a successful exploit, the legitimate user must actively click on an attacker-crafted link.

Affected Version(s)

SIMATIC Drive Controller CPU 1504D TF < 0

SIMATIC Drive Controller CPU 1507D TF < 0

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) < 0

Refferences

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.