CVE-2022-46670

HIGH

Rockwell Automation - Unauthenticated XSS

Title source: llm

Description

Rockwell Automation was made aware of a vulnerability by a security researcher from Georgia Institute of Technology that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution. The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.

References (1)

Core 1

Core References

Vendor Advisory

https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1137679

Scores

CVSS v3 7.1

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (5)

rockwellautomation/micrologix_1100_firmware

rockwellautomation/micrologix_1400-a_firmware < 7.000

rockwellautomation/micrologix_1400-b_firmware < 21.007

rockwellautomation/micrologix_1400-c_firmware < 21.007

rockwellautomation/micrologix_1400_firmware

Published Dec 16, 2022

Tracked Since Feb 18, 2026