Loading

PN1622 | ArmorStart® ST 281E, 284EE Vulnerable to Multiple XSS Vulnerabilities

Severity:
High,
Medium
Advisory ID:
PN1622
公開日:
May 11, 2023
最終更新日:
September 08, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
いいえ
Corrected:
いいえ
Workaround:
いいえ
CVE IDs
CVE-2023-29030,
CVE-2023-29022,
CVE-2023-29028,
CVE-2023-29027,
CVE-2023-29023,
CVE-2023-29026,
CVE-2023-29029,
CVE-2023-29031,
CVE-2023-29024,
CVE-2023-29025
概要
ArmorStart® ST 281E, 284EE Vulnerable to Multiple XSS Vulnerabilities

 

Revision Number
1.1
Revision History
Version 1.0 - May 11, 2023
Version 1.1 - September 8, 2025 - Updated for better readability

Affected Products

Affected Product (automated) First Known in Firmware Revision Corrected in Firmware Revision
ArmorStart® ST 281E v2.004.06 N/A
ArmorStart® ST 284E all N/A
ArmorStart® ST 280E all N/A

Security Issue Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues.

CVE-2023-29031 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.

CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation


Known Exploited Vulnerability (KEV) database: No

CVE-2023-29030 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.

CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation


Known Exploited Vulnerability (KEV) database: No

CVE-2023-29023 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.

CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation


Known Exploited Vulnerability (KEV) database: No

CVE-2023-29024 IMPACT
A cross site scripting vulnerability was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this.

CVSS Base Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation


Known Exploited Vulnerability (KEV) database: No

CVE-2023-29025 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation


CVE-2023-29026 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface.This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation


CVE-2023-29027 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation


CVE-2023-29028 IMPACT
A cross site scripting vulnerability was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation


CVE-2023-29029 IMPACT
A cross site scripting security issue was discovered. Thist could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation


CVE-2023 29022 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation



Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the below risk mitigation.
  • Disable the webserver during normal use. The webserver is disabled by default and should only be enabled to modify configurations. After modifying configurations, the web server should be disabled.
  • For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
    • System Security Design Guidelines Reference Manual publication, SECURE-RM001
    • Configure System Security Features User Manual, SECURE-UM001
  • Customers should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.

Additional Resources

  • CVE-2023-29022 JSON
  • CVE-2023-29023 JSON
  • CVE-2023-29024 JSON
  • CVE-2023-29025 JSON
  • CVE-2023-29026 JSON
  • CVE-2023-29027 JSON
  • CVE-2023-29028 JSON
  • CVE-2023-29029 JSON
  • CVE-2023-29030 JSON
  • CVE-2023-29031 JSON

Glossary

Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites

 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left ロックウェル・オートメーションのホーム Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust & Security Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
を続行するには、クッキーの設定を更新してください.
この機能には、お客様の利便性を向上させるためにクッキーが必要です。これらのクッキーを許可するように設定を更新してください:
  • ソーシャルメディア・クッキー
  • 機能性クッキー
  • パフォーマンスクッキー
  • マーケティングクッキー
  • 全てのクッキー
いつでも設定を更新することができます。詳しくは{0}をご覧ください プライバシーポリシー
CloseClose