vendor:
SIMATIC S7-1200 CPU
by:
t4rkd3vilz, Jameel Nabbo
7.5
CVSS
HIGH
Cross-Site Scripting
79
CWE
Product Name: SIMATIC S7-1200 CPU
Affected Version From: SIMATIC S7-1200 CPU family Versions: V2.X
Affected Version To: SIMATIC S7-1200 CPU family Versions: V3.X
Patch Exists: YES
Related CWE: CVE-2014-2908
CPE: a:siemens:simatic_s7-1200_cpu
Tags: cve,cve2014,xss,siemens,edb
CVSS Metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
Nuclei References:
https://www.exploit-db.com/exploits/44687, https://cert-portal.siemens.com/productcert/pdf/ssa-892012.pdf, https://nvd.nist.gov/vuln/detail/CVE-2014-2908, http://ics-cert.us-cert.gov/advisories/ICSA-14-114-02, http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-892012.pdf
Nuclei Metadata: {'max-request': 1, 'vendor': 'siemens', 'product': 'simatic_s7_cpu_1200_firmware'}
Platforms Tested: Kali Linux
2018
Siemens SIMATIC S7-1200 CPU – Cross-Site Scripting
The Siemens SIMATIC S7-1200 CPU family versions V2.X and V3.X are vulnerable to cross-site scripting (XSS) attacks. An attacker can exploit this vulnerability by injecting malicious script code into the 'filtervalue' parameter of the '/Portal/Portal.mwsl' page. This can lead to the execution of arbitrary code in the context of the victim's browser, potentially allowing the attacker to steal sensitive information or perform unauthorized actions.
Mitigation:
To mitigate this vulnerability, it is recommended to apply the latest security updates provided by Siemens. Additionally, input validation and output encoding techniques should be implemented to prevent XSS attacks.
