CVE-2018-4848

MEDIUM

SCALANCE X-200, X-200IRT, X-200RNA, X-300 - Cross-Site Scripting via Malicious Link

Title source: llm

Description

A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.3), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.4.1), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3). The integrated configuration web server of the affected devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known. The vendor has confirmed the vulnerability and provides mitigations to resolve it.

References (2)

Core 2

Core References

Third Party Advisory, Vendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-480829.pdf

Third Party Advisory, VDB Entry vdb-entry

http://www.securityfocus.com/bid/104494

Scores

CVSS v3 6.1

EPSS 0.0031

EPSS Percentile 54.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-80 CWE-79

Status published

Products (3)

siemens/scalance_x-200_firmware < 5.2.3

siemens/scalance_x-200_irt_firmware < 5.4.1

siemens/scalance_x300_firmware

Published Jun 14, 2018

Tracked Since Feb 18, 2026