CVE-2017-14850
published 2019-06-03CVE-2017-14850: All known versions of the Orpak SiteOmat web management console is vulnerable to multiple instances of Stored Cross-site Scripting due to improper external…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.73%
74.7th percentile
All known versions of the Orpak SiteOmat web management console is vulnerable to multiple instances of Stored Cross-site Scripting due to improper external user-input validation. An attacker with access to the web interface is able to hijack sessions or navigate victims outside of SiteOmat, to a malicious server owned by him.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orpak | siteomat | < 6.4.414.084 | 6.4.414.084 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Orpak SiteOmat Web Management Console Stored cross site scripting (BID-108167)
vuldb·2026-06-03·CVSS 6.1
CVE-2017-14850 [MEDIUM] Orpak SiteOmat Web Management Console Stored cross site scripting (BID-108167)
A vulnerability was found in Orpak SiteOmat. It has been declared as problematic. This impacts an unknown function of the component Web Management Console. Such manipulation leads to cross site scripting (Stored).
This vulnerability is listed as CVE-2017-14850. The attack may be performed from remote. There is no available exploit.
GHSA
GHSA-w63m-q7q5-grjw: All known versions of the Orpak SiteOmat web management console is vulnerable to multiple instances of Stored Cross-site Scripting due to improper ext
ghsa_unreviewed·2022-05-24
CVE-2017-14850 [MEDIUM] CWE-79 GHSA-w63m-q7q5-grjw: All known versions of the Orpak SiteOmat web management console is vulnerable to multiple instances of Stored Cross-site Scripting due to improper ext
All known versions of the Orpak SiteOmat web management console is vulnerable to multiple instances of Stored Cross-site Scripting due to improper external user-input validation. An attacker with access to the web interface is able to hijack sessions or navigate victims outside of SiteOmat, to a malicious server owned by him.
CISA ICS
Orpak SiteOmat
cisa_ics·2019-05-06·CVSS 9.8
[CRITICAL] Orpak SiteOmat
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Orpak SiteOmat
Last RevisedMay 06, 2019
Alert CodeICSA-19-122-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit/public exploits available
- Vendor: Orpak (acquired by Gilbarco Veeder-Root)
- Equipment: SiteOmat
- Vulnerabilities: Use of Hard-coded Credentials, Cross-site Scripting, SQL Injection, Missing Encryption of Sensitive Data, Code Injection, Stack-based Buffer Overflow
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in arbitrary remote code execution resulting in possible denial
No detection rules found.
No public exploits indexed.
Securelist
Gas is too expensive? Let’s make it cheap!
blogs_securelist·2018-02-07
Gas is too expensive? Let’s make it cheap!
Authors
- Ido Naor
A few months ago, while undertaking unrelated research into online connected devices, we uncovered something surprising and realized almost immediately that we could be looking at a critical security threat. What we found was a simple purple web interface that was in fact a link to a real-life gas station, and we suspected this link made the station remotely hackable.
Amihai Neiderman, then working for Azimuth security, and I investigated the findings. When our suspicions turned out to be true, we reported them to the vendor.
The story was covered recently by Motherboard VICE, and here we will share some of the technical details behind it. Further details of this research will be shared in early March at the Security Analyst Summit 2018 in Cancun.
The device we inve
Securelist
Gas is too expensive? Let’s make it cheap!
blogs_securelist·2018-02-07
Gas is too expensive? Let’s make it cheap!
Authors
Ido Naor
A few months ago, while undertaking unrelated research into online connected devices, we uncovered something surprising and realized almost immediately that we could be looking at a critical security threat. What we found was a simple purple web interface that was in fact a link to a real-life gas station, and we suspected this link made the station remotely hackable.
Amihai Neiderman, then working for Azimuth security, and I investigated the findings. When our suspicions turned out to be true, we reported them to the vendor.
The story was covered recently by Motherboard VICE , and here we will share some of the technical details behind it. Further details of this research will be shared in early March at the Security Analyst Summit 2018 in Cancun.
The device we inves
2019-06-03
Published