Pepperl+Fuchs Profinet Gateway LB8122A.1.EL Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Pepperl+Fuchs Profinet Gateway LB8122A.1.EL, affecting versions prior to V1.3.13. This vulnerability allows an unauthenticated remote attacker to inject HTML code into the Web-UI. The injected HTML is executed as such when the HART information is viewed in a web browser. Additionally, the vulnerability enables information disclosure about running processes via SNMP, which can also be used to trigger a device reboot.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected HTML links can redirect users to malicious websites. Furthermore, the vulnerability facilitates information gathering through SNMP, potentially leading to unauthorized device reboots.

Remediation

Users are advised to update to the firmware version V1.3.13. If the web server is activated, ensure that it is only accessible to authorized personnel and used in an isolated network environment.