CVE-2023-3526

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

9.6CRITICAL

EPSS

0.6%

top 30.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phoenix Contact Cloud Client 1101t-tx/tx Phoenix Contact TC Cloud Client 1002-4g Phoenix Contact TC Cloud Client 1002-4g ATT +11 more

Timeline

PublishedAug 8

Description

In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user's browser.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages14 packages

▶CVEListV5phoenix_contact/cloud_client_1101t-tx/tx< 2.06.10

▶NVDphoenixcontact/cloud_client_1101t-tx_firmware< 2.06.10

▶CVEListV5phoenix_contact/tc_cloud_client_1002-4g< 2.07.2

▶CVEListV5phoenix_contact/tc_cloud_client_1002-4g_att< 2.07.2

▶CVEListV5phoenix_contact/tc_cloud_client_1002-4g_vzw< 2.07.2

🔴Vulnerability Details

CVEList

PHOENIX CONTACT: Cross-site Scripting vulnerability in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices↗2023-08-08

▶

GHSA

GHSA-v33q-q39m-425m: In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2↗2023-08-08

▶