Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-13924

A vulnerability has been identified in SCALANCE S602 (All versions < V4.1), SCALANCE S612 (All versions < V4.1), SCALANCE S623 (All versions < V4.1), SCALANCE S627-2M (All versions < V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface.

Published

2020-02-11T16:15:14.430

Last Modified

2024-11-21T04:25:42.543

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-693
Type: Secondary
CWE-1021

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	siemens	scalance_xc-200_firmware	< 5.2.4	Yes
Hardware	siemens	scalance_xc-200	-	No
Operating System	siemens	scalance_xf-200_firmware	< 5.2.4	Yes
Hardware	siemens	scalance_xf-200	-	No
Operating System	siemens	scalance_xp-200_firmware	< 5.2.4	Yes
Hardware	siemens	scalance_xp-200	-	No
Operating System	siemens	scalance_x-200irt_firmware	*	Yes
Hardware	siemens	scalance_x-200irt	-	No
Operating System	siemens	scalance_xb-200_firmware	< 5.2.4	Yes
Hardware	siemens	scalance_xb-200	-	No
Operating System	siemens	scalance_xr-300wg_firmware	< 4.1.3	Yes
Hardware	siemens	scalance_xr-300wg	-	No
Operating System	siemens	scalance_x-300_firmware	< 4.1.3	Yes
Hardware	siemens	scalance_x-300	-	No
Operating System	siemens	scalance_xr-300_firmware	< 4.1.3	Yes
Hardware	siemens	scalance_xr-300	-	No

References

https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf Vendor Advisory ([email protected])
https://www.us-cert.gov/ics/advisories/icsa-20-042-07 ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.us-cert.gov/ics/advisories/icsa-20-042-07 (af854a3a-2127-422b-91ae-364da2661108)