CVE-2022-30694 Information

Nov 09, 2022 cve

Description

A vulnerability has been identified in SIMATIC Drive Controller family (All versions) SIMATIC ET 200S IM151-8 PN/DP CPU (All versions < V3.2.19) SIMATIC ET 200S IM151-8F PN/DP CPU (All versions < V3.2.19) SIMATIC ET 200pro IM154-8 PN/DP CPU (All versions < V3.2.19) SIMATIC ET 200pro IM154-8F PN/DP CPU (All versions < V3.2.19) SIMATIC ET 200pro IM154-8FX PN/DP CPU (All versions < V3.2.19) SIMATIC PC Station (All versions >= V2.1) SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions) SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions) SIMATIC S7-1500 Software Controller (All versions) SIMATIC S7-300 CPU 314C-2 PN/DP (All versions < V3.3.19) SIMATIC S7-300 CPU 315-2 PN/DP (All versions < V3.2.19) SIMATIC S7-300 CPU 315F-2 PN/DP (All versions < V3.2.19) SIMATIC S7-300 CPU 315T-3 PN/DP (All versions < V3.2.19) SIMATIC S7-300 CPU 317-2 PN/DP (All versions < V3.2.19) SIMATIC S7-300 CPU 317F-2 PN/DP (All versions < V3.2.19) SIMATIC S7-300 CPU 317T-3 PN/DP (All versions < V3.2.19) SIMATIC S7-300 CPU 317TF-3 PN/DP (All versions < V3.2.19) SIMATIC S7-300 CPU 319-3 PN/DP (All versions < V3.2.19) SIMATIC S7-300 CPU 319F-3 PN/DP (All versions < V3.2.19) SIMATIC S7-400 PN/DP V6 CPU family (incl. SIPLUS variants) (All versions) SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants) (All versions) SIMATIC S7-PLCSIM Advanced (All versions) SIMATIC WinCC Runtime Advanced (All versions) SINUMERIK ONE (All versions) SIPLUS ET 200S IM151-8 PN/DP CPU (All versions < V3.2.19) SIPLUS ET 200S IM151-8F PN/DP CPU (All versions < V3.2.19) SIPLUS S7-300 CPU 314C-2 PN/DP (All versions < V3.3.19) SIPLUS S7-300 CPU 315-2 PN/DP (All versions < V3.2.19) SIPLUS S7-300 CPU 315F-2 PN/DP (All versions < V3.2.19) SIPLUS S7-300 CPU 317-2 PN/DP (All versions < V3.2.19) SIPLUS S7-300 CPU 317F-2 PN/DP (All versions < V3.2.19). The login endpoint /FormLogin in affected web services does not apply proper origin checking. This could allow authenticated remote attackers to track the activities of other users via a login cross-site request forgery attack.

Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-478960.pdf

Share on: