CVE-2024-46886

CWE-601 — Open Redirect3 documents3 sources

Severity

5.1MEDIUM

EPSS

0.1%

top 74.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

126

Siemens Simatic Drive Controller CPU 1504d TF Siemens Simatic Drive Controller CPU 1507d TF Siemens Simatic ET 200sp CPU 1510sp-1 PN +123 more

Timeline

PublishedOct 8

Description

The web server of affected devices does not properly validate input that is used for a user redirection. This could allow an attacker to make the server redirect the legitimate user to an attacker-chosen URL. For a successful exploit, the legitimate user must actively click on an attacker-crafted link.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Affected Packages126 packages

▶CVEListV5siemens/simatic_s7-plcsim_advanced< V7.0

▶CVEListV5siemens/siplus_s7-1500_cpu_1511-1_pn< V2.9.8

▶CVEListV5siemens/siplus_s7-1500_cpu_1513-1_pn< V2.9.8

▶CVEListV5siemens/simatic_s7-1500_cpu_1511-1_pn< V2.9.8+1

▶CVEListV5siemens/simatic_s7-1500_cpu_1513-1_pn< V2.9.8+1

🔴Vulnerability Details

GHSA

GHSA-5j8m-6w2f-56vm: The web server of affected devices does not properly validate input that is used for a user redirection↗2024-10-08

▶

CVEList

CVE-2024-46886: The web server of affected devices does not properly validate input that is used for a user redirection↗2024-10-08

▶