Lucene search

[email protected]CVE-2022-24042

HistoryMay 10, 2022 - 11:15 a.m.

CVE-2022-24042

2022-05-1011:15:08

CWE-613

[email protected]

web.nvd.nist.gov

cve-2022-24042

desigo dxr2

desigo pxc3

desigo pxc4

desigo pxc5

web application security

unauthorized access

nvd

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.9%

JSON

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.

Affected configurations

NVD

Node

siemensdesigo_pxc5_firmwareRange<02.20.142.10-10884

AND

siemensdesigo_pxc5Match-

Node

siemensdesigo_pxc4_firmwareRange<02.20.142.10-10884

AND

siemensdesigo_pxc4Match-

Node

siemensdesigo_pxc3_firmwareRange<01.21.142.4-18

AND

siemensdesigo_pxc3Match-

Node

siemensdesigo_dxr2_firmwareRange<01.21.142.5-22

AND

siemensdesigo_dxr2Match-

CPENameOperatorVersion
siemens:desigo_pxc5_firmwaresiemens desigo pxc5 firmwarelt02.20.142.10-10884

CPE	Name	Operator	Version
siemens:desigo_pxc5_firmware	siemens desigo pxc5 firmware	lt	02.20.142.10-10884

CNA Affected

[
  {
    "product": "Desigo DXR2",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V01.21.142.5-22"
      }
    ]
  },
  {
    "product": "Desigo PXC3",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V01.21.142.4-18"
      }
    ]
  },
  {
    "product": "Desigo PXC4",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V02.20.142.10-10884"
      }
    ]
  },
  {
    "product": "Desigo PXC5",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V02.20.142.10-10884"
      }
    ]
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf

Social References

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.9%

JSON

Related for CVE-2022-24042

nessus1 cvelist1 prion1 nvd1 ics1