CVE-2021-41541

Опубликовано: 08 мар. 2022

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). The Group Management page of affected devices is vulnerable to cross-site scripting (XSS). The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser action.

Ссылки

https://cert-portal.siemens.com/productcert/pdf/ssa-252466.pdf
Patch
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-252466.pdf
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

Одно из

cpe:2.3:o:siemens:climatix_pol909_firmware:*:*:*:*:advanced_web_module:*:*:*

Версия до 11.36 (исключая)

cpe:2.3:o:siemens:climatix_pol909_firmware:*:*:*:*:advanced_web_and_bacnet_module:*:*:*

Версия до 11.44 (исключая)

cpe:2.3:h:siemens:climatix_pol909:-:*:*:*:*:*:*:*

EPSS

Процентиль: 66%

0.00526

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-9g58-fxqj-4fr9