CVE-2023-2746 — CRITICAL (9.6)

Vulnerability Description

The Rockwell Automation Enhanced HIM software contains an API that the application uses that is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.

CVSS Score

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Rockwellautomation	Enhanced Him	1.001

Related Weaknesses (CWE)

CWE-352

References

https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139760Permissions RequiredVendor Advisory
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139760Permissions RequiredVendor Advisory

FAQ

What is CVE-2023-2746?

CVE-2023-2746 is a vulnerability with a CVSS score of 9.6 (CRITICAL). The Rockwell Automation Enhanced HIM software contains an API that the application uses that is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a ...

How severe is CVE-2023-2746?

CVE-2023-2746 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-2746?

Check the references section above for vendor advisories and patch information. Affected products include: Rockwellautomation Enhanced Him.