CVE-2023-3526

Summary

In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user's browser.

Affected Software

VendorProductVersion RangeStatus
PHOENIX CONTACTCLOUD CLIENT 1101T-TX/TX0 < 2.06.10affected
PHOENIX CONTACTTC CLOUD CLIENT 1002-4G0 < 2.07.2affected
PHOENIX CONTACTTC CLOUD CLIENT 1002-4G ATT0 < 2.07.2affected
PHOENIX CONTACTTC CLOUD CLIENT 1002-4G VZW0 < 2.07.2affected
PHOENIX CONTACTTC ROUTER 3002T-4G0 < 2.07.2affected
PHOENIX CONTACTTC ROUTER 3002T-4G ATT0 < 2.07.2affected
PHOENIX CONTACTTC ROUTER 3002T-4G VZW0 < 2.07.2affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References