4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
59.4%
Siemens Simatic WinCC TIA Portal
Version: 11.x
Application link:
http://www.siemens.com/
Severity level: Medium
Impact: Cross-Site Scripting
Access Vector: Remote
CVSS v2:
Base Score: 4.3
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE: CVE-2013-0667
WinCC TIA Portal is part of a new, integrated engineering concept which offers a uniform engineering environment for programming and configuration of control, visualization and drive solutions.
The specialists of the Positive Research center have detected “Cross-Site Scripting” vulnerability in Siemens Simatic WinCC TIA Portal.
If a user clicks on a malicious link which seems to lead to a HMI web application, it is possible to display any data to the user (server-side script injection).
Update your software up to the latest version
21.09.2012 - Vendor gets vulnerability details
15.03.2013 - Vendor releases fixed version and details
29.03.2013 - Public disclosure
The vulnerability was discovered by Artem Chaykin, Sergey Bobrov, Positive Research Center (Positive Technologies Company)
<http://en.securitylab.ru/lab/PT-2013-34>
<http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf>
Reports on the vulnerabilities previously discovered by Positive Research:
<http://ptsecurity.com/research/advisory/>
<http://en.securitylab.ru/lab/>