Real Time Automation 460 Series

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 9.4
• ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
• Vendor: Real Time Automation
• Equipment: 460MCBS
• Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to run malicious JavaScript content, resulting in cross site scripting (XSS).

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Real Time Automation products are affected:

• 460 Series: Versions prior to v8.9.8

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Real Time Automation 460 Series products with versions prior to v8.9.8 are vulnerable to cross-site scripting, which could allow an attacker to run any JavaScript reference from the URL string. If this were to occur, the gateway’s HTTP interface would redirect to the main page, which is index.htm.

CVE-2023-4523 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

CISA discovered public proof of concept as authored by Yehia Elghaly.

4. MITIGATIONS

Real Time Automation recommends users download and apply the new version of their product. To u

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.