Vulnerability Description
A vulnerability has been identified in Climatix POL908 (BACnet/IP module) (All versions), Climatix POL909 (AWM module) (All versions < V11.32). A persistent cross-site scripting (XSS) vulnerability exists in the "Server Config" web interface of the affected devices that could allow an attacker to inject arbitrary JavaScript code. The code could be potentially executed later by another (possibly privileged) user. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires no system privileges. An attacker could use the vulnerability to compromise the confidentiality and integrity of other users' web session.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Siemens | Climatix Pol908 Firmware | All versions |
| Siemens | Climatix Pol908 | - |
| Siemens | Climatix Pol909 Firmware | < 11.32 |
| Siemens | Climatix Pol909 | - |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-886514.pdfVendor Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-886514.pdfVendor Advisory
FAQ
What is CVE-2020-7574?
CVE-2020-7574 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A vulnerability has been identified in Climatix POL908 (BACnet/IP module) (All versions), Climatix POL909 (AWM module) (All versions < V11.32). A persistent cross-site scripting (XSS) vulnerability ex...
How severe is CVE-2020-7574?
CVE-2020-7574 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-7574?
Check the references section above for vendor advisories and patch information. Affected products include: Siemens Climatix Pol908 Firmware, Siemens Climatix Pol908, Siemens Climatix Pol909 Firmware, Siemens Climatix Pol909.