1. EXECUTIVE SUMMARY
- CVSS v3 6.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Festo SE & Co. KG
- Equipment: LX Appliance
- Vulnerability: Cross-site Scripting
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a user of LX Appliance with a high privilege account to craft a malicious course and launch an XSS attack.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Festo reports that the following products are affected:
- Festo Software LX Appliance: Versions prior to June 2023
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
The “src” attribute of the “track” tag allows a malicious user to bypass HTML escaping and execute arbitrary code. This affects the package video.js before 7.14.3.
CVE-2021-23414 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Communications, Critical Manufacturing, Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Festo coordinated this vulnerability with CERT@VDE.
4. MITIGATIONS
Festo has identified the following specific workarounds and mitigations users can apply to reduce risk:
- LX Appliance Versions prior to June 2023: Contact Festo Didacti
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: