CVE-2022-36325

CWE-80 CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

4.8MEDIUM

EPSS

0.3%

top 47.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

128

Siemens Scalance Sc-600 Firmware Siemens Scalance Sc622-2c Firmware Siemens Scalance Sc632-2c Firmware +125 more

Timeline

PublishedAug 10

Latest updateAug 11

Description

Affected devices do not properly sanitize data introduced by an user when rendering the web interface. This could allow an authenticated remote attacker with administrative privileges to inject code and lead to a DOM-based XSS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages128 packages

▶NVDsiemens/scalance_sc-600_firmware< 2.3.1

▶NVDsiemens/scalance_sc622-2c_firmware< 2.3.1

▶NVDsiemens/scalance_sc632-2c_firmware< 2.3.1

▶NVDsiemens/scalance_sc636-2c_firmware< 2.3.1

▶NVDsiemens/scalance_sc642-2c_firmware< 2.3.1

🔴Vulnerability Details

GHSA

GHSA-9r25-j996-8h38: A vulnerability has been identified in SCALANCE M-800 / S615 (All versions), SCALANCE SC-600 family (All versions < V2↗2022-08-11

▶

CVEList

CVE-2022-36325: Affected devices do not properly sanitize data introduced by an user when rendering the web interface↗2022-08-10

▶