CVE-2023-46098 — Permissive Cross-domain Security Policy with Untrusted Domains in Siemens Simatic PCS NEO

CWE-942 — Permissive Cross-domain Security Policy with Untrusted Domains3 documents3 sources

Severity

8.8HIGHNVD

CNA8.0

EPSS

0.2%

top 59.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Simatic PCS NEO

Timeline

PublishedNov 14

Description

A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). When accessing the Information Server from affected products, the products use an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDsiemens/simatic_pcs_neo< 4.1

▶CVEListV5siemens/simatic_pcs_neoAll versions < V4.1

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

CVEList

CVE-2023-46098: A vulnerability has been identified in SIMATIC PCS neo (All versions < V4↗2023-11-14

▶

GHSA

GHSA-qgvx-gh8h-gmqj: A vulnerability has been identified in SIMATIC PCS neo (All versions < V4↗2023-11-14

▶