N/A

A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). Improper Neutralization of Input During Web Page Generation exists in the “Import Files“ functionality of the “Operation” web application, due to the missing validation of the titles of files included in the input package. By uploading a specifically crafted graphics package, a remote low-privileged attacker can execute arbitrary JavaScript code.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

多款Siemens产品跨站脚本漏洞

Siemens Desigo PX是德国西门子（Siemens）公司的一套楼宇自动化控制系统。 Siemens 多款产品存在跨站脚本漏洞，该漏洞源于由于缺少对输入包中包含的文件标题的验证，“Operation” Web 应用程序的 Import Files 功能中存在网页生成期间输入的不正确中和。通过上传特制的图形包，远程低权限攻击者可以执行任意 JavaScript 代码。Desigo PXM30-1 V02.20.126.11-41 版本之前，Desigo PXM30.E V02.20.126.11-

N/A

N/A