Loading

PN1626 | Cross Site Request Forgery in FactoryTalk® Vantagepoint®

Severity:
High
Advisory ID:
PN1626
Date de publication:
May 11, 2023
Date de la dernière mise à jour:
September 26, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Non
Corrected:
Non
Workaround:
Non
CVE IDs
CVE-2023-2444
Résumé
Cross Site Request Forgery in FactoryTalk® Vantagepoint®

 

Revision Number
1..1
Revision History
Version 1.0 - May 11, 2023
Version 1.1 - September 26, 2025

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Vantagepoint® <v8.40 V8.40 and later

Vulnerability Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess for security issues.

CVE-2023-2444 IMPACT
A cross site request forgery security issue exists in the affected product. This security issue can be used in two ways. In one way an attacker sends a harmful link to a computer that is on the same domain as the FactoryTalk® Vantagepoint® server. A user then clicks the link, and the attacker impersonates the legitimate user and send requests to the affected product.

 A second way, an attacker sends an untrusted link to a computer that is not on the same domain as the server. A user then opens the FactoryTalk® Vantagepoint® website and enters credentials for the FactoryTalk® Vantagepoint® server. The user then clicks on the harmful link for a cross site request forgery attack to be successful.

CVSS Base Score: 7.1/10
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
CWE: CWE-345 Insufficient Verification of Data Authenticity


Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use our security best practices to minimize risks.
  • Provide training about social engineering attacks, such as phishing.
  • QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

  • CVE-2023-2444 JSON

Glossary

Cross Site Request Forgery: (CSRF) an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated

Phishing: cyberattack that uses fraudulent emails, text messages, phone calls or websites to trick people into sharing sensitive data, downloading malware or otherwise exposing themselves to cybercrime

 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Accueil Rockwell Automation Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Veuillez mettre à jour vos préférences en matière de cookies pour continuer.
Cette fonctionnalité nécessite des cookies pour améliorer votre expérience. Veuillez mettre à jour vos préférences pour autoriser ces cookies:
  • Cookies de réseaux sociaux
  • Cookies fonctionnels
  • Cookies de performances
  • Cookies marketing
  • Tous les cookies
Vous pouvez mettre à jour vos préférences à tout moment. Pour plus d'informations, veuillez consulter notre {0} politique de confidentialité
CloseClose