SSA-230445

Siemens Security Advisory by Siemens ProductCERT

SSA-230445: Stored XSS Vulnerability in OZW Web Servers Before V5.2

Publication Date:	2024-11-12
Last Update:	2024-11-12
Current Version:	V1.0
CVSS v3.1 Base Score:	6.8
CVSS v4.0 Base Score:	8.2

SUMMARY

OZW672 and OZW772 Web Server versions before V5.2 contain a stored cross-site scripting (XSS) vulnerability that could allow an authenticated remote attacker to inject arbitrary JavaScript code that is later executed by another authenticated victim user with potential higher privileges than the attacker.

Siemens has released new versions for the affected products and recommends to update to the latest versions.

AFFECTED PRODUCTS AND SOLUTION

Un-/Collapse All

Affected Product and Versions	Remediation
OZW672 All versions < V5.2 affected by CVE-2024-36140	Update to V5.2 or later version https://support.industry.siemens.com/cs/ww/en/view/62567396/
OZW772 All versions < V5.2 affected by CVE-2024-36140	Update to V5.2 or later version https://support.industry.siemens.com/cs/ww/en/view/62564534/

WORKAROUNDS AND MITIGATIONS

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.

PRODUCT DESCRIPTION

OZW devices (web servers) are used for remote monitoring of building controller devices, e.g. for monitoring of heating control or of air condition.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2024-36140

The user accounts tab of affected devices is vulnerable to stored cross-site scripting (XSS) attacks.

This could allow an authenticated remote attacker to inject arbitrary JavaScript code that is later executed by another authenticated victim user with potential higher privileges than the attacker.

CVSS v3.1 Base Score	6.8
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
CVSS v4.0 Base Score	8.2
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ACKNOWLEDGMENTS

Siemens thanks the following party for its efforts:

Paulo Mota for reporting the vulnerability

ADDITIONAL INFORMATION

Note that the initial fix version V5.2 was released in 2014 and is no longer available for download; Siemens recommends to use the latest version as available on the download page.

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2024-11-12):

Publication Date

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.