Headline

CVE-2022-22511: VDE-2022-004 | CERT@VDE

Various configuration pages of the device are vulnerable to reflected XSS (Cross-Site Scripting) attacks. An authorized attacker with user privileges may use this to gain access to confidential information on a PC that connects to the WBM after it has been compromised.

2 years ago

CVE

Open in Source

#xss #vulnerability #web

2022-03-09 08:00 (CET) VDE-2022-004

WAGO: Web-Based Management Cross-Site Scripting
Share: Email | Twitter

Published

2022-03-09 08:00 (CET)

Last update

2022-03-09 08:19 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°

Product Name

Affected Version(s)

751-9301

Compact Controller CC100

FW16 < FW22

752-8303/8000-002

Edge Controller

FW16 < FW22

750-81xx/xxx-xxx

Series PFC100

FW16 < FW22

750-82xx/xxx-xxx

Series PFC200

FW16 < FW22

762-5xxx

Series Touch Panel 600 Advanced Line

FW16 < FW22

762-6xxx

Series Touch Panel 600 Marine Line

FW16 < FW22

762-4xxx

Series Touch Panel 600 Standard Line

FW16 < FW22

Summary

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
Various configuration pages of the device are vulnerable to reflected XSS (Cross-Site Scripting) attacks.

CVE ID

Severity

Weakness

Improper Neutralization of Input During Web Page Generation (CWE-79)

Summary

Source

Reported by

These vulnerabilities were reported to WAGO by: Mohamed Magdy Abumuslim
Coordination done by CERT@VDE.

Impact

An attacker needs an authorized login on the device in order to exploit the various configuration pages with malicious scripts. This can be used to install malicious code and to gain access to confidential information on a PC that connects to the WBM after it has been compromised.

Solution

Mitigation