Multiple Siemens Products Axon Language Query Cross-Site Request Forgery Vulnerability

Siemens Desigo PX is a building automation control system from Siemens, a German company. A cross-site request forgery vulnerability exists in several Siemens products, stemming from a lack of authentication of anti-CSRF tokens or other source checks in the endpoint of the “Operation” Web application that interprets and executes Axon language queries, which could be exploited by tricking a victim into clicking on a malicious link or visiting a specially crafted Web page while logged into the device Web application. malicious link or visit a specially crafted Web page, an unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary Axon queries against the device.