ID

VAR-202312-0237


CVE

CVE-2023-46282


TITLE

Cross-site scripting vulnerability in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2023-019622

DESCRIPTION

A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the affected applications that could allow an attacker to inject arbitrary JavaScript code. The code could be potentially executed later by another (possibly privileged) user. Opcenter Quality , SIMATIC PCS neo , sinumerik integrate runmyhmi /automotive A cross-site scripting vulnerability exists in multiple Siemens products.Information may be obtained and information may be tampered with. Opcenter Quality is a quality management system (QMS) that enables organizations to ensure compliance, optimize quality, reduce defect and rework costs, and achieve operational excellence by increasing process stability. SIMATIC PCS neo is a distributed control system (DCS). The SINUMERIK integrated product suite facilitates simple networking of machine tools in IT in production environments. User Management Component (UMC) is an integrated component that enables system-wide centralized maintenance of users

Trust: 2.16

sources: NVD: CVE-2023-46282 // JVNDB: JVNDB-2023-019622 // CNVD: CNVD-2023-97277

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2023-97277

AFFECTED PRODUCTS

vendor:siemensmodel:simatic pcs neoscope:ltversion:4.1

Trust: 1.6

vendor:siemensmodel:totally integrated automation portalscope:ltversion:17

Trust: 1.0

vendor:siemensmodel:totally integrated automation portalscope:ltversion:15

Trust: 1.0

vendor:siemensmodel:totally integrated automation portalscope:ltversion:18

Trust: 1.0

vendor:siemensmodel:totally integrated automation portalscope:eqversion:18

Trust: 1.0

vendor:siemensmodel:totally integrated automation portalscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:totally integrated automation portalscope:gteversion:17

Trust: 1.0

vendor:siemensmodel:totally integrated automation portalscope:gteversion:15

Trust: 1.0

vendor:siemensmodel:opcenter qualityscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:totally integrated automation portalscope:ltversion:16

Trust: 1.0

vendor:siemensmodel:totally integrated automation portalscope:gteversion:16

Trust: 1.0

vendor:siemensmodel:totally integrated automation portalscope:gteversion:14.0

Trust: 1.0

vendor:siemensmodel:sinumerik integrate runmyhmi \/automotivescope:eqversion: -

Trust: 1.0

vendor:シーメンスmodel:simatic pcs neoscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:opcenter qualityscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:totally integrated automation portalscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:sinumerik integrate runmyhmi /automotivescope: - version: -

Trust: 0.8

vendor:siemensmodel:totally integrated automation portalscope:eqversion:v16

Trust: 0.6

vendor:siemensmodel:totally integrated automation portalscope:eqversion:v17

Trust: 0.6

vendor:siemensmodel:totally integrated automation portalscope:eqversion:v14

Trust: 0.6

vendor:siemensmodel:totally integrated automation portalscope:eqversion:v15.1

Trust: 0.6

vendor:siemensmodel:opcenter qualityscope: - version: -

Trust: 0.6

vendor:siemensmodel:sinumerik integrate runmyhmi /automotivescope: - version: -

Trust: 0.6

vendor:siemensmodel:totally integrated automation portal updatescope:eqversion:v18<v183

Trust: 0.6

sources: CNVD: CNVD-2023-97277 // JVNDB: JVNDB-2023-019622 // NVD: CVE-2023-46282

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-46282
value: MEDIUM

Trust: 1.0

productcert@siemens.com: CVE-2023-46282
value: HIGH

Trust: 1.0

NVD: CVE-2023-46282
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2023-97277
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2023-97277
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:H/AU:S/C:C/I:C/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 9.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2023-46282
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

productcert@siemens.com: CVE-2023-46282
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: 1.6
impactScore: 5.5
version: 3.1

Trust: 1.0

NVD: CVE-2023-46282
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2023-97277 // JVNDB: JVNDB-2023-019622 // NVD: CVE-2023-46282 // NVD: CVE-2023-46282

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-019622 // NVD: CVE-2023-46282

PATCH

title:Patch for Siemens User Management Component (UMC) cross-site scripting vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/500441

Trust: 0.6

sources: CNVD: CNVD-2023-97277

EXTERNAL IDS

db:NVDid:CVE-2023-46282

Trust: 3.2

db:SIEMENSid:SSA-999588

Trust: 2.4

db:JVNid:JVNVU98271228

Trust: 0.8

db:ICS CERTid:ICSA-23-348-03

Trust: 0.8

db:JVNDBid:JVNDB-2023-019622

Trust: 0.8

db:CNVDid:CNVD-2023-97277

Trust: 0.6

sources: CNVD: CNVD-2023-97277 // JVNDB: JVNDB-2023-019622 // NVD: CVE-2023-46282

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-999588.pdf

Trust: 1.8

url:https://cert-portal.siemens.com/productcert/html/ssa-999588.html

Trust: 1.6

url:https://jvn.jp/vu/jvnvu98271228/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2023-46282

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-03

Trust: 0.8

sources: CNVD: CNVD-2023-97277 // JVNDB: JVNDB-2023-019622 // NVD: CVE-2023-46282

SOURCES

db:CNVDid:CNVD-2023-97277
db:JVNDBid:JVNDB-2023-019622
db:NVDid:CVE-2023-46282

LAST UPDATE DATE

2024-10-08T20:45:49.732000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2023-97277date:2023-12-13T00:00:00
db:JVNDBid:JVNDB-2023-019622date:2024-01-15T02:22:00
db:NVDid:CVE-2023-46282date:2024-10-08T09:15:09.323

SOURCES RELEASE DATE

db:CNVDid:CNVD-2023-97277date:2023-12-15T00:00:00
db:JVNDBid:JVNDB-2023-019622date:2024-01-15T00:00:00
db:NVDid:CVE-2023-46282date:2023-12-12T12:15:13.870