| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| PASvisu | < 1.14.1 | |
| 266807, 266812, 266815 | PMI v8xx | <= 2.0.33992 |
Multiple Pilz products are affected by stored cross-site-scripting (XSS) vulnerabilities. The
vulnerabilities may enable an attacker to gain full control over the system.
Update: 27.02.2024 Fix typo in advisory title
A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.
A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device.
The vulnerabilities allow an attacker to inject malicious Javascript code into the system. With PASvisu
Builder in a worst-case scenario this can lead to execution of arbitrary code using the privileges of the
user running the affected software. With PASvisu Runtime (including PMI v8xx) in a worst-case
scenario this could have an impact on the controlled automation application.
Mitigation
• Only use project files from trustworthy sources.
• Protect project files against modification by unauthorized users.
• PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar
measures. Use password protection on the online project.
Remediation
• Install the fixed product version as soon as it is available. Please visit the Pilz eShop
(https://www.pilz.com/en-INT/eshop) to check for the fixed version
CERT@VDE coordinated with Pilz