1. EXECUTIVE SUMMARY
- CVSS v4 6.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: HMS Industrial Networks
- Equipment: Anybus-CompactCom 30
- Vulnerability: Cross-site Scripting
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition, exfiltrate data, or obtain a high degree of control over the device and subsequent systems, including remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Anybus-CompactCom 30, an industrial communication interface, are affected if they include a web server:
- Anybus-CompactCom 30: All versions
3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
The Anybus-CompactCom 30 products are vulnerable to a XSS attack caused by the lack of input sanitation checks. As a consequence, it is possible to insert HTML code into input fields and store the HTML code. The stored HTML code will be embedded in the page and executed by host browser the next time the page is loaded, enabling social engineering attacks.
CVE-2024-6558 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2024-6558. A base score of 6.3 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories