Overly permissive cross-domain whitelist in SIMATIC PCS neo - CVE-2023-46098
Published: November 15, 2023
Vulnerability identifier: #VU83179
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-46098
CWE-ID: CWE-942
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Siemens
Affected software:
SIMATIC PCS neo
SIMATIC PCS neo
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass the CORS protection mechanism.
The vulnerability exists due to incorrect processing of the "Origin" HTTP header that is supplied within HTTP request when accessing the Information Server. A remote attacker on the local network can trick a victim to trigger unwanted behavior
How to mitigate CVE-2023-46098
Install updates from vendor's website.