CVE-2025-3020

Summary

An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact.

Affected Software

VendorProductVersion RangeStatus
Wiesemann & TheisERP-Gateway 12x Digital Input, 6x Digital Relaisallaffected
Wiesemann & TheisERP-Gateway 2x Digital Input, 2x Digital Outputallaffected
Wiesemann & TheisERP-Gateway 2x Digital PoEallaffected
Wiesemann & TheisWeb-Alarm 6x6 DigitalWeb-Alarm 6x6 Digitalallaffected
Wiesemann & TheisWeb-Count 6x Digital0 < 3.79affected
Wiesemann & TheisWeb-Graph Air Qualityallaffected
Wiesemann & TheisWeb-IO 12x Digital Input, 6x Digital Relaisallaffected
Wiesemann & TheisWeb-IO 12x Digital Input, 6x Digital Relaisallaffected
Wiesemann & TheisWeb-IO 12x Digital Input, 6x Digital Relaisallaffected
Wiesemann & TheisWeb-IO Analog-In/Out 2x 0/4..20mA PoEallaffected
Wiesemann & TheisWeb-IO Digital 12xIn, 12xOutallaffected
Wiesemann & TheisWeb-IO Digital 12xIn, 12xOutallaffected
Wiesemann & TheisWeb-IO Digital 12xIn, 12xOut0 < 4.08affected
Wiesemann & TheisWeb-IO Digital 12xIn, 12xOut, 1xRS232allaffected
Wiesemann & TheisWeb-IO Digital 12xIn, 12xOut, 1xRS232allaffected
Wiesemann & TheisWeb-IO Digital 2xIn, 2xOutallaffected
Wiesemann & TheisWeb-IO Digital 2xIn, 2xOutallaffected
Wiesemann & TheisWeb-IO Digital 2xIn, 2xOutallaffected
Wiesemann & TheisWeb-IO Digital Logger 6xIn, 6xOut0 < 3.70affected
Wiesemann & TheisWeb-Thermograph 2xallaffected
Wiesemann & TheisWeb-Thermograph 8xallaffected
Wiesemann & TheisWeb-Thermograph NTCallaffected
Wiesemann & TheisWeb-Thermograph NTC PoEallaffected
Wiesemann & TheisWeb-Thermograph Pt100 / Pt1000allaffected
Wiesemann & TheisWeb-Thermograph Pt100 / Pt1000 PoEallaffected
Wiesemann & TheisWeb-Thermograph Relaisallaffected
Wiesemann & TheisWeb-Thermo-Hygrobarographallaffected
Wiesemann & TheisWeb-Thermo-Hygrographallaffected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References