Multiple unknown cross-site scripting vulnerabilities in Siemens SIMATIC HMI
Release date:
Updated on: 2012-04-19
Affected Systems:
Siemens SIMATIC HMI
Siemens simatic hmi Smart Options
Description:
--------------------------------------------------------------------------------
Bugtraq id: 51835
Cve id: CVE-2011-4510, CVE-2011-4511
WinCC flexible is a human-machine interface used in some machine or process applications.
Multiple cross-site scripting vulnerabilities exist in the implementation of simatic hmi. Attackers can exploit these vulnerabilities to execute arbitrary script code in the user's browser to steal Cookie authentication creden.
<* Source: Billy Rios
Link: http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01A.pdf
Http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Siemens
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.automation.siemens.com/mcms/automation/en/human-machine-interface/Pages/Default.aspx