← back
CVE-2020-15793

CVE-2020-15793

EPSS 0.7%CWE-1021
In short

Desigo Insight is vulnerable to clickjacking because it doesn't properly set security headers that prevent websites from being framed inside another site. An attacker could trick you into clicking on a fake website that loads the real application invisibly, stealing your actions and data.

Technical detail

The application fails to set the X-Frame-Options HTTP header, allowing attackers to embed it within an iframe on a malicious site. This enables clickjacking attacks where an unauthenticated attacker can deceive legitimate users into performing unintended actions or exposing sensitive data through UI redressing techniques.

Summary generated and translated by AI from the official description.
A vulnerability has been identified in Desigo Insight (All versions). The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by tricking that user to click on a website controlled by the attacker.
Affected products
Siemens · Desigo Insight

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdfhttps://us-cert.cisa.gov/ics/advisories/icsa-20-287-05