Loading

PN1626 | Cross Site Request Forgery in FactoryTalk® Vantagepoint®

Severity:
High
Advisory ID:
PN1626
Data pubblicazione:
May 11, 2023
Ultimo aggiornamento:
September 26, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2023-2444
Riepilogo
Cross Site Request Forgery in FactoryTalk® Vantagepoint®

 

Revision Number
1..1
Revision History
Version 1.0 - May 11, 2023
Version 1.1 - September 26, 2025

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Vantagepoint® <v8.40 V8.40 and later

Vulnerability Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess for security issues.

CVE-2023-2444 IMPACT
A cross site request forgery security issue exists in the affected product. This security issue can be used in two ways. In one way an attacker sends a harmful link to a computer that is on the same domain as the FactoryTalk® Vantagepoint® server. A user then clicks the link, and the attacker impersonates the legitimate user and send requests to the affected product.

 A second way, an attacker sends an untrusted link to a computer that is not on the same domain as the server. A user then opens the FactoryTalk® Vantagepoint® website and enters credentials for the FactoryTalk® Vantagepoint® server. The user then clicks on the harmful link for a cross site request forgery attack to be successful.

CVSS Base Score: 7.1/10
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
CWE: CWE-345 Insufficient Verification of Data Authenticity


Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use our security best practices to minimize risks.
  • Provide training about social engineering attacks, such as phishing.
  • QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

  • CVE-2023-2444 JSON

Glossary

Cross Site Request Forgery: (CSRF) an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated

Phishing: cyberattack that uses fraudulent emails, text messages, phone calls or websites to trick people into sharing sensitive data, downloading malware or otherwise exposing themselves to cybercrime

 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Home Rockwell Automation Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Aggiorna le tue preferenze sui cookie per continuare.
Questa funzionalità richiede i cookie per migliorare la tua esperienza. Ti preghiamo di aggiornare le tue preferenze per consentire questi cookie:
  • Cookie dei social media
  • Cookie funzionali
  • Cookie di prestazione
  • Cookie di marketing
  • Tutti i cookie
Puoi aggiornare le tue preferenze in qualsiasi momento. Per ulteriori informazioni consultare il nostro {0} politica sulla riservatezza
CloseClose