#VU15888 Open redirect in Siemens products - CVE-2018-13813
Published: November 14, 2018
Vulnerability identifier: #VU15888
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-13813
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Siemens SIMATIC WinCC
SIMATIC HMI MP Mobile Panel
SIMATIC HMI OP
SIMATIC HMI MP
SIMATIC HMI TP
SIMATIC WinCC Runtime Advanced
SIMATIC HMI KTP900F
SIMATIC HMI KTP900
SIMATIC HMI KTP700F
SIMATIC HMI KTP700
SIMATIC HMI KTP400F
SIMATIC HMI Comfort Outdoor Panels 7” & 15”
SIMATIC HMI Comfort Panels 4”-22”
SIMATIC WinCC Runtime Professional
Siemens SIMATIC WinCC
SIMATIC HMI MP Mobile Panel
SIMATIC HMI OP
SIMATIC HMI MP
SIMATIC HMI TP
SIMATIC WinCC Runtime Advanced
SIMATIC HMI KTP900F
SIMATIC HMI KTP900
SIMATIC HMI KTP700F
SIMATIC HMI KTP700
SIMATIC HMI KTP400F
SIMATIC HMI Comfort Outdoor Panels 7” & 15”
SIMATIC HMI Comfort Panels 4”-22”
SIMATIC WinCC Runtime Professional
Software vendor:
Siemens
Siemens
Description
The vulnerability allows a remote attacker to redirect victims to arbitrary URI.
The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary URI.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information
Remediation
Update the affected products to version 15 Update 4.