Publication Date: |
|
Last Update: |
|
Current Version: | V1.0 |
CVSS v3.1 Base Score: | 6.8 |
CVSS v4.0 Base Score: | 8.2 |
Affected Product and Versions | Remediation |
---|---|
All versions < V5.2 affected by CVE-2024-36140 |
Update to V5.2 or later version
|
All versions < V5.2 affected by CVE-2024-36140 |
Update to V5.2 or later version
|
Product-specific remediations or mitigations can be found in the section
Affected Products and Solution.
Please follow the General Security Recommendations.
As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.
This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.
The user accounts tab of affected devices is vulnerable to stored cross-site scripting (XSS) attacks.
This could allow an authenticated remote attacker to inject arbitrary JavaScript code that is later executed by another authenticated victim user with potential higher privileges than the attacker.
CVSS v3.1 Base Score | 6.8 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N |
CVSS v4.0 Base Score | 8.2 |
CVSS v4.0 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N |
CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Note that the initial fix version V5.2 was released in 2014 and is no longer available for download; Siemens recommends to use the latest version as available on the download page.
V1.0 (2024-11-12): | Publication Date |