Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ptsecurityPositive TechnologiesPT-2013-31
HistorySep 21, 2012 - 12:00 a.m.

PT-2013-31: Cross-Site Scripting in Siemens Simatic WinCC TIA Portal

2012-09-2100:00:00
Positive Technologies
www.ptsecurity.com
6

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

41.0%

JSON

PT-2013-31: Cross-Site Scripting in Siemens Simatic WinCC TIA Portal

Vulnerable software

Siemens Simatic WinCC TIA Portal
Version: 11.x

Application link:
http://www.siemens.com/

Severity level

Severity level: Medium
Impact: Cross-Site Scripting
Access Vector: Remote

CVSS v2:
Base Score: 4.0
Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)

CVE: CVE-2013-0672

Software description

WinCC TIA Portal is part of a new, integrated engineering concept which offers a uniform engineering environment for programming and configuration of control, visualization and drive solutions.

Vulnerability description

The specialists of the Positive Research center have detected “Cross-Site Scripting” vulnerability in Siemens Simatic WinCC TIA Portal.

The HMI’s web application is susceptible to stored Cross-Site-Scripting attacks. An authenticated user may store data on the web application, which will execute malicious JavaScript code, when other users access the affected page.

How to fix

Update your software up to the latest version

Advisory status

21.09.2012 - Vendor gets vulnerability details
15.03.2013 - Vendor releases fixed version and details
29.03.2013 - Public disclosure

Credits

The vulnerability was discovered by Sergey Bobrov, Positive Research Center (Positive Technologies Company)

References

<http://en.securitylab.ru/lab/PT-2013-31&gt;
<http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf&gt;

Reports on the vulnerabilities previously discovered by Positive Research:

<http://ptsecurity.com/research/advisory/&gt;
<http://en.securitylab.ru/lab/&gt;

Related

cve 1
prion 1
nvd 1
cvelist 1
ics 1
cve
cve
CVE-2013-0672
2022-10-03 16:15:05
prion
prion
Cross site scripting
2013-03-21 14:55:00
nvd
nvd
CVE-2013-0672
2013-03-21 14:55:01
cvelist
cvelist
CVE-2013-0672
2022-10-03 16:15:05
ics
ics
Siemens WinCC TIA Portal Vulnerabilities
2013-09-03 12:00:00

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

41.0%

JSON
Related for PT-2013-31
cve1prion1nvd1cvelist1ics1