CVE-2021-20994
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
In multiple managed switches by WAGO in different versions an attacker may trick a legitimate user to click a link to inject possible malicious code into the Web-Based Management.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WAGO | 0852-0303 | unspecified <= V1.2.3.S0 | affected |
| WAGO | 0852-1305 | unspecified <= V1.1.7.S0 | affected |
| WAGO | 0852-1505 | unspecified <= V1.1.6.S0 | affected |
| WAGO | 0852-1305/000-001 | unspecified <= V1.0.4.S0 | affected |
| WAGO | 0852-1505/000-001 | unspecified <= V1.0.4.S0 | affected |
Weaknesses
- CWE-79: CWE-79 Cross-site Scripting (XSS)
Workarounds
Disable the web server of the device. Use the CLI interface of the device. Update to the latest firmware. Restrict network access to the device. Do not directly connect the device to the internet.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.