CVE-2022-40178 Desigo PXM30-1, PXM30.E, PXM40-1, PXM40.E, PXM50-1 have multiple vulnerabilities.

A remote low-privilege attacker can exploit this vulnerability to perform cross-site request forgery (CSRF) attacks. A local low-privilege attacker can exploit this vulnerability to obtain sensitive information. Desigo PXM30-1 (All versions  V02.20.126.11-41), Desigo PXM30.E (All versions  V02.20.126.11-41), Desigo PXM40-1 (All versions  V02.20.126.11-41), Desigo PXM40.E (All versions  V02.20.126.11-41), Desigo PXM50-1 (All versions  V02.20.126.11-41), Desigo PXM50.E (All versions  V02.20.126.11-41) are vulnerable; however, in some cases, the web server may not correctly handle the file types of the input package. These issues have been fixed in the latest firmware version. Desigo PXM30-1 (All versions  V02.20.126.11-41), Desigo PXM30.E (All versions  V02.20.126.11-41), Desigo PXM40-1 (All versions  V02.20.126.11-41), Desigo PXM40.E (All versions  V02.20.126.11-41), Desigo PXM

Product Description

Desigo PXM30-1 is a high performance and flexible development platform. It offers more than 50 embedded databases, and it has the capability to support all application types including web, enterprise resource planning (ERP), games and industrial control systems.
Desigo PXM30-1 (All versions  V02.20.126.11-41) is vulnerable; however, in some cases, the web server may not correctly handle the file types of the input package. These issues have been fixed in the latest firmware version. Desigo PXM30-1 (All versions  V02.20.126.11-41), Desigo PXM30.E (All versions  V02.20.126.11-41), Desigo PXM40-1 (All versions  V02.20.126.11-41), Desigo PXM40.E (All versions  V02.20 126 11 -41), Desigo PXM50 -1 (All versions  v02 . 20 126 11 -41) are vulnerable; however, in some cases, the web server may not correctly handle the file types of the input package

Potential Impact

The vulnerability can be exploited to perform cross-site request forgery (CSRF) attacks. A local low-privilege attacker can exploit this vulnerability to obtain sensitive information.

Products and Services Affected

A remote low-privilege attacker can exploit this vulnerability to perform cross-site request forgery (CSRF) attacks. Desigo PXM30-1 (All versions  V02.20.126.11-41), Desigo PXM30.E (All versions  V02.20.126.11-41), Desigo PXM40-1 (All versions  V02.20.126.11-41), Desigo PXM40.E (All versions  V02.20.126.11-41), Desigo PXM50-1 (All versions  V02.20.126.11-41), Desigo PXM50.E (All versions  V02.20

Timeline

Published on: 10/11/2022 11:15:00 UTC
Last modified on: 10/12/2022 17:17:00 UTC

References

• https://cert-portal.siemens.com/productcert/pdf/ssa-360783.pdf
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40178