Affected Products
| Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
| Enhanced HIM | v1.001 | v1.002 |
Security Issue Details
CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings. As a result, it is vulnerable to a Cross Site Request Forgery (CSRF) attack. To use this, a threat actor would have to convince a user to click on an untrusted link. This is done through a social engineering attack or by performing a Cross Site Scripting Attack (XSS). Using a CSRF could lead to sensitive information disclosure and full remote access to the affected products.
CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352: Cross-Site Request Forgery (CSRF)Known Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Risk Mitigation & User Action
- Upgrade to version 1.002 which mitigates this issue.
- Security Best Practices: QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Glossary
Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.
Cross-Origin Resource Sharing: (CORS) an HTTP-header-based mechanism that allows a server to specify which origins (domains, schemes, or ports) are permitted to access its resources
Cross Site Request Forgery: (CSRF) an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated
Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
