CVE-2023-46281

Опубликовано: 12 дек. 2023

Источник: nvd

CVSS3: 7.1

CVSS3: 8.8

EPSS Низкий

Описание

A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). When accessing the UMC Web-UI from affected products, UMC uses an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.

Ссылки

https://cert-portal.siemens.com/productcert/html/ssa-999588.html
https://cert-portal.siemens.com/productcert/pdf/ssa-999588.pdf
Patch
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-999588.html
https://cert-portal.siemens.com/productcert/pdf/ssa-999588.pdf
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:siemens:opcenter_quality:-:*:*:*:*:*:*:*

cpe:2.3:a:siemens:simatic_pcs_neo:*:*:*:*:*:*:*:*

Версия до 4.1 (исключая)

cpe:2.3:a:siemens:sinumerik_integrate_runmyhmi_\/automotive:-:*:*:*:*:*:*:*

cpe:2.3:a:siemens:totally_integrated_automation_portal:*:*:*:*:*:*:*:*

Версия от 14.0 (включая) до 15 (исключая)

cpe:2.3:a:siemens:totally_integrated_automation_portal:*:*:*:*:*:*:*:*

Версия от 15 (включая) до 16 (исключая)

cpe:2.3:a:siemens:totally_integrated_automation_portal:*:*:*:*:*:*:*:*

Версия от 16 (включая) до 17 (исключая)

cpe:2.3:a:siemens:totally_integrated_automation_portal:*:*:*:*:*:*:*:*

Версия от 17 (включая) до 18 (исключая)

cpe:2.3:a:siemens:totally_integrated_automation_portal:-:*:*:*:*:*:*:*

cpe:2.3:a:siemens:totally_integrated_automation_portal:18:*:*:*:*:*:*:*

cpe:2.3:a:siemens:totally_integrated_automation_portal:18:update_1:*:*:*:*:*:*

EPSS

Процентиль: 30%

0.00111

Низкий

7.1 High

CVSS3

8.8 High

CVSS3

Дефекты

CWE-942

Связанные уязвимости

GHSA-9qvw-gvq6-g569

CVSS3: 7.1

github

около 2 лет назад

A vulnerability has been identified in Opcenter Quality (All versions), SIMATIC PCS neo (All versions < V4.1), SINUMERIK Integrate RunMyHMI /Automotive (All versions), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). When accessing the UMC Web-UI from affected products, UMC uses an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.

BDU:2024-00036

CVSS3: 8.8

fstec

около 2 лет назад

Уязвимость компонента управления UMC программных продуктов Opcenter Quality, SIMATIC PCS neo, SINUMERIK Integrate RunMyHMI/Automotive, Totally Integrated Automation Portal (TIA Portal), Totally Integrated Automation Portal (TIA Portal), Totally Integrated Automation Portal (TIA Portal), Totally Integrated Automation Portal (TIA Portal), Totally Integrated Automation Portal (TIA Portal), позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

EPSS

Процентиль: 30%

0.00111

Низкий

7.1 High

CVSS3

8.8 High

CVSS3

Дефекты

CWE-942