Lucene search

SiemensCVELIST:CVE-2023-46098

HistoryNov 14, 2023 - 11:04 a.m.

CVE-2023-46098

2023-11-1411:04:20

CWE-942

siemens

www.cve.org

vulnerability

simatic pcs neo

information server

cors policy

attacker

legitimate user

unwanted behavior

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

33.2%

JSON

A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). When accessing the Information Server from affected products, the products use an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.

CNA Affected

[
  {
    "vendor": "Siemens",
    "product": "SIMATIC PCS neo",
    "versions": [
      {
        "version": "All versions < V4.1",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-456933.pdf

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

33.2%

JSON

Related for CVELIST:CVE-2023-46098