CVE-2023-46097

CWE-89 — SQL Injection3 documents3 sources

Severity

8.0HIGH

EPSS

0.1%

top 72.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Simatic PCS NEO

Timeline

PublishedNov 14

Description

A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). The PUD Manager of affected products does not properly neutralize user provided inputs. This could allow an authenticated adjacent attacker to execute SQL statements in the underlying database.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:LExploitability: 2.1 | Impact: 4.2

Affected Packages2 packages

▶NVDsiemens/simatic_pcs_neo< 4.1

▶CVEListV5siemens/simatic_pcs_neoAll versions < V4.1

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

CVEList

CVE-2023-46097: A vulnerability has been identified in SIMATIC PCS neo (All versions < V4↗2023-11-14

▶

GHSA

GHSA-cgvj-x976-6v45: A vulnerability has been identified in SIMATIC PCS neo (All versions < V4↗2023-11-14

▶