Code Execution Vulnerability in iFrame Widgets and Dashboards by SICK
CVE-2025-49191

4.8MEDIUM

Key Information:

Vendor

Sick Ag

Status
Sick Field Analytics
Vendor
CVE Published:
12 June 2025

What is CVE-2025-49191?

This vulnerability allows for unauthorized code execution through linked URLs embedded in iFrame widgets and dashboards. If an attacker, possessing the necessary permissions to create new dashboards or widgets, embeds a malicious URL, any user who accesses that dashboard may unwittingly execute harmful code. This poses a serious risk to user security and integrity, highlighting the need for stringent access controls and vigilant monitoring of widget creation capabilities.

Affected Version(s)

SICK Field Analytics all versions

References

https://sick.com/psirt
x_SICK PSIRT Website
https://cdn.sick.com/media/docs/1/11/411/Special_informat...
x_SICK Operating Guidelines
https://www.cisa.gov/resources-tools/resources/ics-recomm...
x_ICS-CERT recommended practices on Industrial Security

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-49191 : Code Execution Vulnerability in iFrame Widgets and Dashboards by SICK