CVE-2021-34582
4.8
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 and 1.5.0 a user with high privileges can inject HTML code (XSS) through web-based management or the REST API with a manipulated certificate file.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PHOENIX CONTACT | FL MGUARD | 1.4.0 < FL MGUARD 1102 (No. 1153079)* | affected |
| PHOENIX CONTACT | FL MGUARD | 1.4.0 < FL MGUARD 1105 (No. 1153078)* | affected |
Weaknesses
- CWE-79: CWE-79 Cross-site Scripting (XSS)
Workarounds
If an untrusted user may have exploited the vulnerability, it is recommended to revoke access for that user, and to re-upload the certificates on the Basic settings > LDAP and Logs > Remote logging pages through the REST API (i.e., without viewing these pages in the web-based management).
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.