cnvd - cnvd-2025-01696

cnvd-2025-01696

Vulnerability from cnvd

Title

Siemens Industrial Edge Management跨站脚本漏洞

Description

Industrial Edge代表一个开放的、即用型的边缘计算平台，由边缘设备、边缘应用程序、边缘连接以及应用程序和设备管理基础设施组成。 Siemens Industrial Edge Management存在跨站脚本漏洞，攻击者可利用漏洞获取用户cookie等敏感信息。

Severity

中

Formal description

目前暂无详细的解决方案： http://www.siemens.com/

Reference

https://cert-portal.siemens.com/productcert/html/ssa-416411.html

Impacted products

Name
Siemens Industrial Edge Management OS (IEM-OS)

Show details on source website

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-45385"
    }
  },
  "description": "Industrial Edge\u4ee3\u8868\u4e00\u4e2a\u5f00\u653e\u7684\u3001\u5373\u7528\u578b\u7684\u8fb9\u7f18\u8ba1\u7b97\u5e73\u53f0\uff0c\u7531\u8fb9\u7f18\u8bbe\u5907\u3001\u8fb9\u7f18\u5e94\u7528\u7a0b\u5e8f\u3001\u8fb9\u7f18\u8fde\u63a5\u4ee5\u53ca\u5e94\u7528\u7a0b\u5e8f\u548c\u8bbe\u5907\u7ba1\u7406\u57fa\u7840\u8bbe\u65bd\u7ec4\u6210\u3002\n\nSiemens Industrial Edge Management\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u7528\u6237cookie\u7b49\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u6682\u65e0\u8be6\u7ec6\u7684\u89e3\u51b3\u65b9\u6848\uff1a\r\nhttp://www.siemens.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-01696",
  "openTime": "2025-01-17",
  "products": {
    "product": "Siemens Industrial Edge Management OS (IEM-OS)"
  },
  "referenceLink": "https://cert-portal.siemens.com/productcert/html/ssa-416411.html",
  "serverity": "\u4e2d",
  "submitTime": "2025-01-14",
  "title": "Siemens Industrial Edge Management\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2024-45385 (GCVE-0-2024-45385)

Vulnerability from cvelistv5

Published

2025-01-14 10:30

Modified

2025-01-14 14:33

Severity ?

4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:U/RC:C
2.1 (Low) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

A vulnerability has been identified in Industrial Edge Management OS (IEM-OS) (All versions). Affected components are vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link.

References

URL

Tags

https://cert-portal.siemens.com/productcert/html/ssa-416411.html

Impacted products

	Vendor	Product	Version
	Siemens	Industrial Edge Management OS (IEM-OS)	Version: 0 < *

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45385",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-14T14:32:32.934085Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-14T14:33:56.757Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Industrial Edge Management OS (IEM-OS)",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in Industrial Edge Management OS (IEM-OS) (All versions). Affected components are vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:U/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-14T10:30:02.825Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-416411.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2024-45385",
    "datePublished": "2025-01-14T10:30:02.825Z",
    "dateReserved": "2024-08-28T13:08:22.700Z",
    "dateUpdated": "2025-01-14T14:33:56.757Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.