Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2023-45795
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-45795",
"id": "GSD-2023-45795"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-45795"
],
"id": "GSD-2023-45795",
"modified": "2023-12-13T01:20:38.109094Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2023-45795",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
}
}
VDE-2023-050
Vulnerability from csaf_pilzgmbhcokg - Published: 2024-01-30 07:00 - Updated: 2025-04-10 13:00Summary
Pilz: Vulnerability in PASvisu and PMI v8xx
Notes
Summary: Multiple Pilz products are affected by stored cross-site-scripting (XSS) vulnerabilities. The vulnerabilities may enable an attacker to gain full control over the system.
Update: 27.02.2024 Fix typo in advisory title
Impact: The vulnerabilities allow an attacker to inject malicious Javascript code into the system. With PASvisu
Builder in a worst-case scenario this can lead to execution of arbitrary code using the privileges of the
user running the affected software. With PASvisu Runtime (including PMI v8xx) in a worst-case
scenario this could have an impact on the controlled automation application.
Mitigation: * Only use project files from trustworthy sources.
* Protect project files against modification by unauthorized users.
* PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar
measures. Use password protection on the online project.
Remediation: Install the fixed product version as soon as it is available. Please visit the Pilz eShop
(https://www.pilz.com/en-INT/eshop external link) to check for the fixed version
A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device.
7.8 (High)
Mitigation
* Only use project files from trustworthy sources.
* Protect project files against modification by unauthorized users.
* PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar
measures. Use password protection on the online project.
Vendor Fix
Install the fixed product version as soon as it is available. Please visit the Pilz eShop
(https://www.pilz.com/en-INT/eshop external link) to check for the fixed version
A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.
8.1 (High)
Mitigation
* Only use project files from trustworthy sources.
* Protect project files against modification by unauthorized users.
* PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar
measures. Use password protection on the online project.
Vendor Fix
Install the fixed product version as soon as it is available. Please visit the Pilz eShop
(https://www.pilz.com/en-INT/eshop external link) to check for the fixed version
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Multiple Pilz products are affected by stored cross-site-scripting (XSS) vulnerabilities. The vulnerabilities may enable an attacker to gain full control over the system.\n\nUpdate: 27.02.2024 Fix typo in advisory title",
"title": "Summary"
},
{
"category": "description",
"text": "The vulnerabilities allow an attacker to inject malicious Javascript code into the system. With PASvisu\nBuilder in a worst-case scenario this can lead to execution of arbitrary code using the privileges of the\nuser running the affected software. With PASvisu Runtime (including PMI v8xx) in a worst-case\nscenario this could have an impact on the controlled automation application.",
"title": "Impact"
},
{
"category": "description",
"text": " * Only use project files from trustworthy sources.\n * Protect project files against modification by unauthorized users.\n * PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar\nmeasures. Use password protection on the online project.",
"title": "Mitigation"
},
{
"category": "description",
"text": "Install the fixed product version as soon as it is available. Please visit the Pilz eShop\n(https://www.pilz.com/en-INT/eshop external link) to check for the fixed version",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security@pilz.com",
"name": "Pilz GmbH \u0026 Co. KG",
"namespace": "https://www.pilz.com"
},
"references": [
{
"category": "external",
"summary": "PILZ PSIRT",
"url": "https://www.pilz.com/de-DE/company/news/articles/200605"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for PILZ products",
"url": "https://certvde.com/en/advisories/vendor/pilz/"
},
{
"category": "self",
"summary": "VDE-2023-050: Pilz: Vulnerability in PASvisu and PMI v8xx - HTML",
"url": "https://certvde.com/en/advisories/VDE-2023-050/"
},
{
"category": "self",
"summary": "VDE-2023-050: Pilz: Vulnerability in PASvisu and PMI v8xx - CSAF",
"url": "https://pilz.csaf-tp.certvde.com/.well-known/csaf/white/2024/vde-2023-050.json"
}
],
"title": "Pilz: Vulnerability in PASvisu and PMI v8xx",
"tracking": {
"aliases": [
"VDE-2023-050"
],
"current_release_date": "2025-04-10T13:00:00.000Z",
"generator": {
"date": "2024-06-10T06:39:45.830Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.4"
}
},
"id": "VDE-2023-050",
"initial_release_date": "2024-01-30T07:00:00.000Z",
"revision_history": [
{
"date": "2024-01-30T07:00:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2024-02-27T14:00:00.000Z",
"number": "2",
"summary": "Updated Title."
},
{
"date": "2024-11-06T11:27:01.000Z",
"number": "3",
"summary": "Fix: correct certvde domain, added self-reference"
},
{
"date": "2025-04-10T13:00:00.000Z",
"number": "4",
"summary": "fixed version operators"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "PMI v8xx",
"product": {
"name": "PILZ Hardware PMI v8xx",
"product_id": "CSAFPID-1101",
"product_identification_helper": {
"model_numbers": [
"266807",
"266812",
"266815"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.14.1",
"product": {
"name": "PILZ Software PASvisu \u003c1.14.1",
"product_id": "CSAFPID-5101"
}
},
{
"category": "product_version",
"name": "1.14.1",
"product": {
"name": "PILZ Software PASvisu 1.14.1",
"product_id": "CSAFPID-5201"
}
}
],
"category": "product_name",
"name": "PASvisu"
}
],
"category": "product_family",
"name": "Software"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2.0.33992",
"product": {
"name": "PILZ Firmware PMI v8xx \u003c=2.0.33992",
"product_id": "CSAFPID-2101"
}
}
],
"category": "product_name",
"name": "PMI v8xx"
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "PILZ"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-3101",
"CSAFPID-5101"
],
"summary": "Affected products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "PILZ Firmware PMI v8xx \u003c=2.0.33992 installed on PILZ Hardware PMI v8xx",
"product_id": "CSAFPID-3101"
},
"product_reference": "CSAFPID-2101",
"relates_to_product_reference": "CSAFPID-1101"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45795",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-3101",
"CSAFPID-5101"
]
},
"remediations": [
{
"category": "mitigation",
"details": " * Only use project files from trustworthy sources.\n * Protect project files against modification by unauthorized users.\n * PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar\nmeasures. Use password protection on the online project.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": " Install the fixed product version as soon as it is available. Please visit the Pilz eShop\n(https://www.pilz.com/en-INT/eshop external link) to check for the fixed version",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-3101",
"CSAFPID-5101"
]
}
],
"title": "CVE-2023-45795"
},
{
"cve": "CVE-2023-45796",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-3101",
"CSAFPID-5101"
]
},
"remediations": [
{
"category": "mitigation",
"details": " * Only use project files from trustworthy sources.\n * Protect project files against modification by unauthorized users.\n * PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar\nmeasures. Use password protection on the online project.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": " Install the fixed product version as soon as it is available. Please visit the Pilz eShop\n(https://www.pilz.com/en-INT/eshop external link) to check for the fixed version",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 8.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-3101",
"CSAFPID-5101"
]
}
],
"title": "CVE-2023-45796"
}
]
}