Headline
CVE-2023-34412: VDE-2023-029 | CERT@VDE
A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker to store an arbitrary JavaScript payload on the diagnosis page of the device. That page is loaded immediately after login in to the device and runs the stored payload, allowing the attacker to read and write browser data and reduce system performance.
2023-08-17 14:00 (CEST) VDE-2023-029
Helmholz: Cross-site Scripting vulnerability in REX 200/REX 250
Share: Email | Twitter
Published
2023-08-17 14:00 (CEST)
Last update
2023-08-17 15:05 (CEST)
Vendor(s)
Helmholz GmbH & Co. KG
Product(s)
Article No°
Product Name
Affected Version(s)
REX 200
< 7.3.2
REX 250
< 7.3.2
Summary
A stored XXS vulnerability has been found in REX 200 and REX 250 in all versions before 7.3.2.
CVE ID
Last Update:
Aug. 15, 2023, 11:19 a.m.
Severity
Weakness
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79)
Summary
A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker to store an arbitrary JavaScript payload on the diagnosis page of the device.
That page is loaded immediately after login in to the device and runs the stored payload, allowing the attacker to read and write browser data and reduce system performance.
Details
Impact
A remote, authenticated attacker can fully compromise the browser session of all users accessing the devices web interface.
Solution
Reported by
CERT@VDE coordinated with Helmholz.