CVE-2022-29034
CVE-2022-29034
In short
The SINEMA Remote Connect Server web interface has a flaw where error messages don't block JavaScript code, allowing attackers to inject malicious scripts that execute in users' browsers when they click a specially crafted link.
Technical detail
A reflected XSS vulnerability exists in the error message pop-up window of the web interface where user input is not properly sanitized or encoded. An unauthenticated attacker can craft a malicious URL containing JavaScript payload that executes in the victim's browser context when accessed, potentially leading to session hijacking or credential theft.
Summary generated and translated by AI from the official description.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). An error message pop up window in the web interface of the affected application does not prevent injection of JavaScript code.
This could allow attackers to perform reflected cross-site scripting (XSS) attacks.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C
Affected products
Siemens · SINEMA Remote Connect ServerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/167554/SIEMENS-SINEMA-Remote-Connect-3.0.1.0-01.01.00.02-Cross-Site-Scripting.htmlhttps://cert-portal.siemens.com/productcert/html/ssa-484086.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdfhttp://seclists.org/fulldisclosure/2022/Jun/35