CVE-2022-46733 - Vulnerability Details - OpenCVE

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site scripting in its backup services. An attacker could take advantage of this vulnerability to execute arbitrary commands.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Sewio	Real-time Location System Studio

Configuration 1 [-]

cpe:2.3:a:sewio:real-time_location_system_studio:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-49520	Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site scripting in its backup services. An attacker could take advantage of this vulnerability to execute arbitrary commands.

Fixes

Solution

Sewio has provided the following updates and recommends that users update to the latest version: * RTLS Studio: Update to version 3.0.0 or later https://portal.sewio.net/login (requires login)

Workaround

Sewio also recommends the following workarounds to reduce the risk of exploitation: * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 . * Locate control system networks and remote devices behind firewalls and isolate them from business networks.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01

History

Thu, 16 Jan 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2023-01-18T00:43:45.382Z

Updated: 2025-01-16T21:59:53.384Z

Reserved: 2022-12-21T18:52:32.315Z

Link: CVE-2022-46733

Vulnrichment

Updated: 2024-08-03T14:39:38.546Z

NVD

Status : Modified

Published: 2023-01-18T01:15:12.827

Modified: 2024-11-21T07:30:59.350

Link: CVE-2022-46733

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-46733", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2022-12-21T18:52:32.315Z", "datePublished": "2023-01-18T00:43:45.382Z", "dateUpdated": "2025-01-16T21:59:53.384Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "RTLS Studio", "vendor": "Sewio", "versions": [{"lessThanOrEqual": "2.6.2", "status": "affected", "version": "2.0.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Andrea Palanca of Nozomi Networks"}], "datePublic": "2023-01-12T21:03:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Sewio\u2019s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site scripting in its backup services. An attacker could take advantage of this vulnerability to execute arbitrary commands.</p>"}], "value": "Sewio\u2019s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site scripting in its backup services. An attacker could take advantage of this vulnerability to execute arbitrary commands.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-01-18T00:43:45.382Z"}, "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<p>Sewio has provided the following updates and recommends that users update to the latest version: </p>\n\n<ul><li>RTLS Studio: Update to <a target=\"_blank\" rel=\"nofollow\" href=\"https://portal.sewio.net/login\">version 3.0.0 or later</a> (requires login)</li></ul>"}], "value": "Sewio has provided the following updates and recommends that users update to the latest version: \n\n\n\n * RTLS Studio: Update to version 3.0.0 or later https://portal.sewio.net/login \u00a0(requires login)\n\n\n"}], "source": {"discovery": "EXTERNAL"}, "title": "CVE-2022-46733", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<p>Sewio also recommends the following workarounds to reduce the risk of exploitation: </p>\n\n<ul><li>Minimize network exposure for all control system devices and/or systems, and ensure they are <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01\">not accessible from the internet</a>. </li>\n\t<li>Locate control system networks and remote devices behind firewalls and isolate them from business networks. </li></ul>\n\n<br>"}], "value": "Sewio also recommends the following workarounds to reduce the risk of exploitation: \n\n\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 . \n\n\t * Locate control system networks and remote devices behind firewalls and isolate them from business networks. \n\n\n\n\n\n"}], "x_generator": {"engine": "VINCE 2.0.5", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2022-46733"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:39:38.546Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-16T20:22:25.153207Z", "id": "CVE-2022-46733", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T21:59:53.384Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:39:38.546Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-46733", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-16T20:22:25.153207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T20:22:26.544Z"}}], "cna": {"title": "CVE-2022-46733", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Andrea Palanca of Nozomi Networks"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Sewio", "product": "RTLS Studio", "versions": [{"status": "affected", "version": "2.0.0", "versionType": "custom", "lessThanOrEqual": "2.6.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Sewio has provided the following updates and recommends that users update to the latest version: \n\n\n\n * RTLS Studio: Update to version 3.0.0 or later https://portal.sewio.net/login \u00a0(requires login)\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n<p>Sewio has provided the following updates and recommends that users update to the latest version: </p>\n\n<ul><li>RTLS Studio: Update to <a target=\"_blank\" rel=\"nofollow\" href=\"https://portal.sewio.net/login\">version 3.0.0 or later</a> (requires login)</li></ul>", "base64": false}]}], "datePublic": "2023-01-12T21:03:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01"}], "workarounds": [{"lang": "en", "value": "Sewio also recommends the following workarounds to reduce the risk of exploitation: \n\n\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 . \n\n\t * Locate control system networks and remote devices behind firewalls and isolate them from business networks. \n\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n<p>Sewio also recommends the following workarounds to reduce the risk of exploitation: </p>\n\n<ul><li>Minimize network exposure for all control system devices and/or systems, and ensure they are <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01\">not accessible from the internet</a>. </li>\n\t<li>Locate control system networks and remote devices behind firewalls and isolate them from business networks. </li></ul>\n\n<br>", "base64": false}]}], "x_generator": {"env": "prod", "engine": "VINCE 2.0.5", "origin": "https://cveawg.mitre.org/api/cve/CVE-2022-46733"}, "descriptions": [{"lang": "en", "value": "Sewio\u2019s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site scripting in its backup services. An attacker could take advantage of this vulnerability to execute arbitrary commands.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Sewio\u2019s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site scripting in its backup services. An attacker could take advantage of this vulnerability to execute arbitrary commands.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-01-18T00:43:45.382Z"}}}, "cveMetadata": {"cveId": "CVE-2022-46733", "state": "PUBLISHED", "dateUpdated": "2025-01-16T21:59:53.384Z", "dateReserved": "2022-12-21T18:52:32.315Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2023-01-18T00:43:45.382Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sewio:real-time_location_system_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BFF34E9-1653-45FC-B8F1-4A61931A0779", "versionEndIncluding": "2.6.2", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Sewio\u2019s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site scripting in its backup services. An attacker could take advantage of this vulnerability to execute arbitrary commands.\n\n"}, {"lang": "es", "value": " El sistema de ubicaci\u00f3n en tiempo real (RTLS) Studio de Sewio, versi\u00f3n 2.0.0 hasta la versi\u00f3n 2.6.2 incluida, es vulnerable a cross site scripting en sus servicios de respaldo. Un atacante podr\u00eda aprovechar esta vulnerabilidad para ejecutar comandos arbitrarios."}], "id": "CVE-2022-46733", "lastModified": "2024-11-21T07:30:59.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-18T01:15:12.827", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}