CVE-2023-6028

Summary

A reflected cross-site scripting (XSS) vulnerability exists in the SVG version of System Diagnostics Manager of B&R Automation Runtime versions <= G4.93 that enables a remote attacker to execute arbitrary JavaScript code in the context of the attacked user’s browser session.

Affected Software

VendorProductVersion RangeStatus
B&R Industrial AutomationAutomation Runtime14.0 < 14.93affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Workarounds

Do not use Hyperlinks provided by untrusted 3rd party to access the SDM. Hyperlinks may be provided via:

  • Emails from unknown users
  • Social media channels
  • Messaging services
  • Webpages with comment functionality
  • QR Codes

The use of external Web Application Firewalls (WAF) can mitigate attacks using reflected cross-site scripting.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References