VDE-2023-012 | CERT@VDE

2023-08-17 14:00 (CEST) VDE-2023-012

Red Lion Europe: Cross-site Scripting vulnerability in mbNET/mbNET.rokey

Share: Email | Twitter

ID

VDE-2023-012

Published

2023-08-17 14:00 (CEST)

Last update

2023-08-17 15:05 (CEST)

Vendor(s)

Red Lion Europe GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	mbNET	< 7.3.2
	mbNET.rokey	< 7.3.2

Summary

A stored XXS vulnerability has been found in mbNET and mbNET/.rokey in all versions before 7.3.2.

CVE ID

CVE-2023-34412

Last Update:

Nov. 16, 2023, 12:03 p.m.

Severity

4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Summary

A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker with high privileges to inject malicious HTML or JavaScript code (XSS).

Details

cert.vde.com

Impact

A remote, authenticated attacker can fully compromise the browser session of all users accessing the devices web interface.

Solution

Update to 7.3.2

Reported by

CERT@VDE coordinated with Red Lion Europe.