#VU23589 Input validation error in XHQ Server - CVE-2019-13932

Cybersecurity Help s.r.o.

Published: 2019-12-13

Vulnerability identifier: #VU23589

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-13932

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
XHQ Server
Server applications / Web servers

Vendor: Siemens

Description

The vulnerability allows a remote attacker to cause the application to behave in unexpected ways.

The vulnerability exists due to the web application requests can be manipulated. A remote attacker can import scripts or generate malicious links to read or modify contents of the web application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

XHQ Server: before 6.0.0.2

External links
https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Siemens XHQ