1. EXECUTIVE SUMMARY
- CVSS v4 6.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Yokogawa
- Equipment: FAST/TOOLS and CI Server
- Vulnerabilities: Cross-site Scripting, Empty Password in Configuration File
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to launch a malicious script and take control of affected products.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Yokogawa FAST/TOOLS and CI Server, SCADA software environments, are affected:
- FAST/TOOLS RVSVRN Package: Versions R9.01 through R10.04
- FAST/TOOLS UNSVRN Package: Versions R9.01 through R10.04
- FAST/TOOLS HMIWEB Package: Versions R9.01 through R10.04
- FAST/TOOLS FTEES Package: Versions R9.01 through R10.04
- FAST/TOOLS HMIMOB Package: Versions R9.01 through R10.04
- CI Server: Versions R1.01.00 through R1.03.00
3.2 Vulnerability Overview
3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79
The affected product’s WEB HMI server’s function to process HTTP requests has a security flaw (reflected XSS) that allows the execution of malicious scripts. Therefore, if a client PC with inadequate security measures accesses a product URL containing a malicious request, the malicious script may be executed on the client PC.
CVE-2024-4105 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for This article has been indexed from All CISA Advisories