Details of VAR-202311-0457

ID

VAR-202311-0457

CVE

CVE-2023-46099

TITLE

Siemens' SIMATIC PCS neo Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-017478

DESCRIPTION

A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). There is a stored cross-site scripting vulnerability in the Administration Console of the affected product, that could allow an attacker with high privileges to inject Javascript code into the application that is later executed by another legitimate user. Siemens' SIMATIC PCS neo Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. SIMATIC PCS neo is a distributed control system (DCS)

Trust: 2.16

sources: NVD: CVE-2023-46099 // JVNDB: JVNDB-2023-017478 // CNVD: CNVD-2023-86335

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-86335

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic pcs neo	scope:	lt	version:	4.1	Trust: 1.6
vendor:	シーメンス	model:	simatic pcs neo	scope:	eq	version:	-	Trust: 0.8
vendor:	シーメンス	model:	simatic pcs neo	scope:	eq	version:	4.1	Trust: 0.8
vendor:	シーメンス	model:	simatic pcs neo	scope:	-	version:	-	Trust: 0.8

sources: CNVD: CNVD-2023-86335 // JVNDB: JVNDB-2023-017478 // NVD: CVE-2023-46099

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-46099
value:	MEDIUM
Trust: 1.0
productcert@siemens.com:	CVE-2023-46099
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-46099
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2023-86335
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2023-86335
severity:	MEDIUM
baseScore:	5.2
vectorString:	AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.1
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-46099
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
productcert@siemens.com:	CVE-2023-46099
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.2
impactScore:	3.7
version:	3.1
Trust: 1.0
NVD:	CVE-2023-46099
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-86335 // JVNDB: JVNDB-2023-017478 // NVD: CVE-2023-46099 // NVD: CVE-2023-46099

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-017478 // NVD: CVE-2023-46099

PATCH

title:

Patch for Siemens SIMATIC PCS neo cross-site scripting vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/481906

Trust: 0.6

sources: CNVD: CNVD-2023-86335

EXTERNAL IDS

db:	NVD	id:	CVE-2023-46099	Trust: 3.2
db:	SIEMENS	id:	SSA-456933	Trust: 2.4
db:	JVN	id:	JVNVU92598492	Trust: 0.8
db:	ICS CERT	id:	ICSA-23-320-06	Trust: 0.8
db:	JVNDB	id:	JVNDB-2023-017478	Trust: 0.8
db:	CNVD	id:	CNVD-2023-86335	Trust: 0.6

sources: CNVD: CNVD-2023-86335 // JVNDB: JVNDB-2023-017478 // NVD: CVE-2023-46099

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-456933.pdf	Trust: 1.8
url:	https://jvn.jp/vu/jvnvu92598492/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-46099	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-06	Trust: 0.8
url:	https://cert-portal.siemens.com/productcert/html/ssa-456933.html	Trust: 0.6

sources: CNVD: CNVD-2023-86335 // JVNDB: JVNDB-2023-017478 // NVD: CVE-2023-46099

SOURCES

db:	CNVD	id:	CNVD-2023-86335
db:	JVNDB	id:	JVNDB-2023-017478
db:	NVD	id:	CVE-2023-46099

LAST UPDATE DATE

2024-08-14T12:07:53.493000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-86335	date:	2023-11-15T00:00:00
db:	JVNDB	id:	JVNDB-2023-017478	date:	2024-01-09T03:18:00
db:	NVD	id:	CVE-2023-46099	date:	2023-11-20T15:10:25.943

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-86335	date:	2023-11-15T00:00:00
db:	JVNDB	id:	JVNDB-2023-017478	date:	2024-01-09T00:00:00
db:	NVD	id:	CVE-2023-46099	date:	2023-11-14T11:15:14.840