CVE-2021-20994

Summary

In multiple managed switches by WAGO in different versions an attacker may trick a legitimate user to click a link to inject possible malicious code into the Web-Based Management.

Affected Software

VendorProductVersion RangeStatus
WAGO0852-0303unspecified <= V1.2.3.S0affected
WAGO0852-1305unspecified <= V1.1.7.S0affected
WAGO0852-1505unspecified <= V1.1.6.S0affected
WAGO0852-1305/000-001unspecified <= V1.0.4.S0affected
WAGO0852-1505/000-001unspecified <= V1.0.4.S0affected

Weaknesses

  • CWE-79: CWE-79 Cross-site Scripting (XSS)

Workarounds

Disable the web server of the device. Use the CLI interface of the device. Update to the latest firmware. Restrict network access to the device. Do not directly connect the device to the internet.

ADP Enrichment

CVE Program Container

Additional References

References