CVE-2021-21004

Summary

In Phoenix Contact FL SWITCH SMCS series products in multiple versions an attacker may insert malicious code via LLDP frames into the web-based management which could then be executed by the client.

Affected Software

VendorProductVersion RangeStatus
Phoenix ContactFL SWITCHSMCS 16TX (2700996) <= 4.70affected
Phoenix ContactFL SWITCHSMCS 14TX/2FX (2700997) <= 4.70affected
Phoenix ContactFL SWITCHSMCS 14TX/2FX-SM (2701466) <= 4.70affected
Phoenix ContactFL SWITCHSMCS 8GT (2891123) <= 4.70affected
Phoenix ContactFL SWITCHSMCS 6GT/2SFP (2891479) <= 4.70affected
Phoenix ContactFL SWITCHSMCS 8TX-PN (2989103) <= 4.70affected
Phoenix ContactFL SWITCHSMCS 4TX-PN (2989093) <= 4.70affected
Phoenix ContactFL SWITCHSMCS 8TX (2989226) <= 4.70affected
Phoenix ContactFL SWITCHSMCS 6TX/2SFP (2989323) <= 4.70affected
Phoenix ContactFL SWITCHSMN 6TX/2POF-PN (2700290) <= 4.70affected
Phoenix ContactFL SWITCHSMN 8TX-PN (2989501) <= 4.70affected
Phoenix ContactFL SWITCHSMN 6TX/2FX (2989543) <= 4.70affected
Phoenix ContactFL SWITCHSMN 6TX/2FX SM (2989556) <= 4.70affected
Phoenix ContactFL NATSMN 8TX (2989365) <= 4.63affected
Phoenix ContactFL NATSMN 8TX-M (2702443) <= 4.63affected

Weaknesses

  • CWE-79: CWE-79 Cross-site Scripting (XSS)

Workarounds

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note: Measures to protect network-capable devices with Ethernet connection https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf

ADP Enrichment

CVE Program Container

Additional References

References