Code Execution Vulnerability in iFrame Widgets and Dashboards by SICK
CVE-2025-49191

4.8MEDIUM

Key Information:

Vendor: Sick Ag
Status: Sick Field Analytics
Vendor: CVE Published:; 12 June 2025

What is CVE-2025-49191?

This vulnerability allows for unauthorized code execution through linked URLs embedded in iFrame widgets and dashboards. If an attacker, possessing the necessary permissions to create new dashboards or widgets, embeds a malicious URL, any user who accesses that dashboard may unwittingly execute harmful code. This poses a serious risk to user security and integrity, highlighting the need for stringent access controls and vigilant monitoring of widget creation capabilities.

Affected Version(s)

SICK Field Analytics all versions

References

https://sick.com/psirt

x_SICK PSIRT Website

https://cdn.sick.com/media/docs/1/11/411/Special_informat...

x_SICK Operating Guidelines

https://www.cisa.gov/resources-tools/resources/ics-recomm...

x_ICS-CERT recommended practices on Industrial Security

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2025
Vulnerability Reserved
Jun 3, 2025

Sick Ag

What is CVE-2025-49191?

Affected Version(s)

References

CVSS V3.1

Timeline