Lucene search

IcscertCVE-2024-6558

HistoryJul 25, 2024 - 8:15 p.m.

CVE-2024-6558

2024-07-2520:15:05

CWE-79

icscert

web.nvd.nist.gov

hms industrial networks

xss attack

input sanitation checks

html code

social engineering attacks

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS4

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

ACTIVE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/SC:H/VI:L/SI:H/VA:L/SA:L

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

17.7%

JSON

HMS Industrial Networks

Anybus-CompactCom 30 products are vulnerable to a XSS attack caused by the lack of input sanitation checks. As a consequence, it is possible to insert HTML code into input fields and store the HTML code. The stored HTML code will be embedded in the page and executed by host browser the next time the page is loaded, enabling social engineering attacks.

Affected configurations

Nvd

Node

hms-networksanybus_compactcom_30_module_ethernet\/ip_firmwareMatch-

AND

hms-networksanybus_compactcom_30_module_ethernet\/ipMatch-

Node

hms-networksanybus_compactcom_30_module_usb_without_housing_firmwareMatch-

AND

hms-networksanybus_compactcom_30_module_usb_without_housingMatch-

VendorProductVersionCPE
hms-networksanybus_compactcom_30_module_ethernet\/ip_firmware-cpe:2.3:o:hms-networks:anybus_compactcom_30_module_ethernet\/ip_firmware:-:*:*:*:*:*:*:*
hms-networksanybus_compactcom_30_module_ethernet\/ip-cpe:2.3:h:hms-networks:anybus_compactcom_30_module_ethernet\/ip:-:*:*:*:*:*:*:*
hms-networksanybus_compactcom_30_module_usb_without_housing_firmware-cpe:2.3:o:hms-networks:anybus_compactcom_30_module_usb_without_housing_firmware:-:*:*:*:*:*:*:*
hms-networksanybus_compactcom_30_module_usb_without_housing-cpe:2.3:h:hms-networks:anybus_compactcom_30_module_usb_without_housing:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
hms-networks	anybus_compactcom_30_module_ethernet\/ip_firmware	-	cpe:2.3:o:hms-networks:anybus_compactcom_30_module_ethernet\/ip_firmware:-:::::::*
hms-networks	anybus_compactcom_30_module_ethernet\/ip	-	cpe:2.3:h:hms-networks:anybus_compactcom_30_module_ethernet\/ip:-:::::::*
hms-networks	anybus_compactcom_30_module_usb_without_housing_firmware	-	cpe:2.3:o:hms-networks:anybus_compactcom_30_module_usb_without_housing_firmware:-:::::::*
hms-networks	anybus_compactcom_30_module_usb_without_housing	-	cpe:2.3:h:hms-networks:anybus_compactcom_30_module_usb_without_housing:-:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Anybus-CompactCom 30",
    "vendor": "HMS Industrial Networks",
    "versions": [
      {
        "status": "affected",
        "version": "all versions"
      }
    ]
  }
]

References

hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-05-17-001---anybus---compactcom-30-xss.pdf

www.cisa.gov/news-events/ics-advisories/icsa-24-193-20

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS4

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

ACTIVE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/SC:H/VI:L/SI:H/VA:L/SA:L

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

17.7%

JSON

Related for CVE-2024-6558