N/A

A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). A Cross-Site Request Forgery exists in endpoints of the “Operation” web application that interpret and execute Axon language queries, due to the missing validation of anti-CSRF tokens or other origin checks. By convincing a victim to click on a malicious link or visit a specifically crafted webpage while logged-in to the device web application, a remote unauthenticated attacker can execute arbitrary Axon queries against the device.

N/A

跨站请求伪造(CSRF)

多款Siemens产品跨站请求伪造漏洞

Siemens Desigo PX是德国西门子（Siemens）公司的一套楼宇自动化控制系统。 Siemens 多款产品存在跨站请求伪造漏洞，该漏洞源于由于缺少对反 CSRF 令牌或其他来源检查的验证，跨站点请求伪造存在于解释和执行 Axon 语言查询的“Operation” Web 应用程序的端点中。通过诱使受害者在登录设备 Web 应用程序时单击恶意链接或访问特制网页，未经身份验证的远程攻击者可以对设备执行任意 Axon 查询。Desigo PXM30-1 V02.20.126.11-41 版本之前，

N/A

N/A