Cross-site request forgery in Siemens SIMATIC S7-1200

Published: 2018-10-10 17:06:08
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-13800
CVSSv3 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CWE ID CWE-352
Exploitation vector Network
Public exploit N/A
Vulnerable software SIMATIC S7-1200
Vulnerable software versions SIMATIC S7-1200 4.1.2
SIMATIC S7-1200 4.1.1
SIMATIC S7-1200 4.1
SIMATIC S7-1200 4.0
Vendor URL Siemens

Security Advisory

1) Cross-site request forgery

Description

The vulnerability allows a remote unauthenticated attacker to perform CSRF attack.

The weakness exists due to insufficient CSRF protections. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.

Remediation

Update to version 4.2.3.

External links

https://cert-portal.siemens.com/productcert/pdf/ssa-507847.pdf

Back to List