Loading

PN1630 | Enhanced HIM Vulnerable to Cross Site Request Forgery Attack

Severity:
Critical
Advisory ID:
PN1630
公開日:
July 11, 2023
最終更新日:
September 09, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
いいえ
Corrected:
いいえ
Workaround:
いいえ
CVE IDs
CVE-2023-2746
概要
Enhanced HIM Vulnerable to Cross Site Request Forgery Attack

 

Revision Number
1.1
Revision History
Version 1.0 - July 11, 2023
Version 1.1 - September 9, 2025

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Enhanced HIM v1.001 v1.002

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess thesecurity issues. The security of our products is important to us as your industrial automation supplier.  This issue was found internally during routine testing and is being reported based on our commitment to transparency and to improvement of all business environments.

CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings. As a result, it is vulnerable to a Cross Site Request Forgery (CSRF) attack. To use this, a threat actor would have to convince a user to click on an untrusted link. This is done through a social engineering attack or by performing a Cross Site Scripting Attack (XSS). Using a CSRF could lead to sensitive information disclosure and full remote access to the affected products.

CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352: Cross-Site Request Forgery (CSRF)


Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software should use risk mitigation and our suggested security best practices to minimize the potential risks.
  • Upgrade to version 1.002 which mitigates this issue.
  • Security Best Practices: QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

  • CVE-2023-2746 JSON

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Cross-Origin Resource Sharing: (CORS) an HTTP-header-based mechanism that allows a server to specify which origins (domains, schemes, or ports) are permitted to access its resources

Cross Site Request Forgery: (CSRF) an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated 

Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left ロックウェル・オートメーションのホーム Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust & Security Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
を続行するには、クッキーの設定を更新してください.
この機能には、お客様の利便性を向上させるためにクッキーが必要です。これらのクッキーを許可するように設定を更新してください:
  • ソーシャルメディア・クッキー
  • 機能性クッキー
  • パフォーマンスクッキー
  • マーケティングクッキー
  • 全てのクッキー
いつでも設定を更新することができます。詳しくは{0}をご覧ください プライバシーポリシー
CloseClose