HMS Industrial Networks Anybus-CompactCom 30 products are vulnerable to a XSS attack caused by the lack of input sanitation checks. As a consequence, it is possible to insert HTML code into input fields and store the HTML code. The stored HTML code will be embedded in the page and executed by host browser the next time the page is loaded, enabling social engineering attacks.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Hms-networks
  • Anybus Compactcom 30 Module Ethernet\/ip
  • Anybus Compactcom 30 Module Ethernet\/ip Firmware
  • Anybus Compactcom 30 Module Usb Without Housing
  • Anybus Compactcom 30 Module Usb Without Housing Firmware

Configuration 1 [-]

AND
cpe:2.3:o:hms-networks:anybus_compactcom_30_module_ethernet\/ip_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:anybus_compactcom_30_module_ethernet\/ip:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:o:hms-networks:anybus_compactcom_30_module_usb_without_housing_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:anybus_compactcom_30_module_usb_without_housing:-:*:*:*:*:*:*:*

No data.

References
Link Providers
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-05-17-001---anybus---compactcom-30-xss.pdf cve-icon cve-icon cve-icon
https://www.cisa.gov/news-events/ics-advisories/icsa-24-193-20 cve-icon cve-icon cve-icon
History

Tue, 13 Aug 2024 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Hms-networks
Hms-networks anybus Compactcom 30 Module Ethernet\/ip
Hms-networks anybus Compactcom 30 Module Ethernet\/ip Firmware
Hms-networks anybus Compactcom 30 Module Usb Without Housing
Hms-networks anybus Compactcom 30 Module Usb Without Housing Firmware
CPEs cpe:2.3:h:hms-networks:anybus_compactcom_30_module_ethernet\/ip:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:anybus_compactcom_30_module_usb_without_housing:-:*:*:*:*:*:*:*
cpe:2.3:o:hms-networks:anybus_compactcom_30_module_ethernet\/ip_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:hms-networks:anybus_compactcom_30_module_usb_without_housing_firmware:-:*:*:*:*:*:*:*
Vendors & Products Hms-networks
Hms-networks anybus Compactcom 30 Module Ethernet\/ip
Hms-networks anybus Compactcom 30 Module Ethernet\/ip Firmware
Hms-networks anybus Compactcom 30 Module Usb Without Housing
Hms-networks anybus Compactcom 30 Module Usb Without Housing Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-07-25T19:53:44.420Z

Updated: 2024-08-01T21:41:03.742Z

Reserved: 2024-07-08T14:47:38.424Z

Link: CVE-2024-6558

cve-icon Vulnrichment

Updated: 2024-08-01T21:41:03.742Z

cve-icon NVD

Status : Modified

Published: 2024-07-25T20:15:05.360

Modified: 2024-11-21T09:49:53.027

Link: CVE-2024-6558

cve-icon Redhat

No data.