CVE-2021-34582

Summary

In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 and 1.5.0 a user with high privileges can inject HTML code (XSS) through web-based management or the REST API with a manipulated certificate file.

Affected Software

VendorProductVersion RangeStatus
PHOENIX CONTACTFL MGUARD1.4.0 < FL MGUARD 1102 (No. 1153079)*affected
PHOENIX CONTACTFL MGUARD1.4.0 < FL MGUARD 1105 (No. 1153078)*affected

Weaknesses

  • CWE-79: CWE-79 Cross-site Scripting (XSS)

Workarounds

If an untrusted user may have exploited the vulnerability, it is recommended to revoke access for that user, and to re-upload the certificates on the Basic settings > LDAP and Logs > Remote logging pages through the REST API (i.e., without viewing these pages in the web-based management).

ADP Enrichment

CVE Program Container

Additional References

References