CVE-2022-40190

SAUTER Controls moduWeb firmware version 2.7.1 is vulnerable to reflective cross-site scripting (XSS). The web application does not adequately sanitize request strings of malicious JavaScript. An attacker utilizing XSS could then execute malicious code in users’ browsers and steal sensitive information, including user credentials.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-300-02	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:o:sauter-controls:moduweb_firmware:2.7.1:*:*:*:*:*:*:*

History

02 Nov 2022, 14:13

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.6
First Time		Sauter-controls Sauter-controls moduweb Firmware
CPE		cpe:2.3:o:sauter-controls:moduweb_firmware:2.7.1:::::::*
References	~~(MISC) https://www.cisa.gov/uscert/ics/advisories/icsa-22-300-02 -~~	(MISC) https://www.cisa.gov/uscert/ics/advisories/icsa-22-300-02 - Third Party Advisory, US Government Resource

31 Oct 2022, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-31 21:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-40190

Mitre link : CVE-2022-40190

CVE.ORG link : CVE-2022-40190

JSON object : View

Products Affected

sauter-controls

moduweb_firmware

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-40190", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-10-31T21:15:12.660", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-300-02", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "SAUTER Controls moduWeb firmware version 2.7.1 is vulnerable to reflective cross-site scripting (XSS). The web application does not adequately sanitize request strings of malicious JavaScript. An attacker utilizing XSS could then execute malicious code in users\u2019 browsers and steal sensitive information, including user credentials."}, {"lang": "es", "value": "La versi\u00f3n 2.7.1 del firmware moduWeb de SAUTER Controls es vulnerable a Cross-Site Scripting (XSS) Reflejado. La aplicaci\u00f3n web no sanitiza adecuadamente las cadenas de solicitud de JavaScript malicioso. Un atacante que utilice XSS podr\u00eda ejecutar c\u00f3digo malicioso en los navegadores de los usuarios y robar informaci\u00f3n confidencial, incluidas las credenciales de los usuarios.\n"}], "lastModified": "2022-11-02T14:13:10.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:sauter-controls:moduweb_firmware:2.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FFA6229-43BC-4D22-90EC-EEE5711D229F"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}