|266807, 266812, 266815
Multiple Pilz products are affected by stored cross-site-scripting (XSS) vulnerabilities. The
vulnerabilities may enable an attacker to gain full control over the system.
A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.
Builder in a worst-case scenario this can lead to execution of arbitrary code using the privileges of the
user running the affected software. With PASvisu Runtime (including PMI v8xx) in a worst-case
scenario this could have an impact on the controlled automation application.
• Only use project files from trustworthy sources.
• Protect project files against modification by unauthorized users.
• PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar
measures. Use password protection on the online project.
• Install the fixed product version as soon as it is available. Please visit the Pilz eShop
(https://www.pilz.com/en-INT/eshop) to check for the fixed version
CERT@VDE coordinated with Pilz