CVE-2022-42786

Summary

Multiple W&T Products of the ComServer Series are prone to an XSS attack. An authenticated remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into the title of the configuration webpage

Affected Software

VendorProductVersion RangeStatus
Wiesemann & TheisCom-Server LC1.0 < 1.48affected
Wiesemann & TheisCom-Server PoE 3 x Isolated1.0 < 1.48affected
Wiesemann & TheisCom-Server 20mA1.0 < 1.48affected
Wiesemann & TheisCom-Server ++1.0 < 1.48affected
Wiesemann & TheisAT-Modem-Emulator1.0 < 1.48affected
Wiesemann & TheisCom-Server UL1.0 < 1.48affected
Wiesemann & TheisCom-Server Highspeed 100BaseFX1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed 100BaseLX1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed Office 1 Port1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed Office 4 Port1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed Industry1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed OEM1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed Compact1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed Isolated1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed 19" 1Port1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed 19" 4Port1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed PoE1.0 < 1.76affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References