SICK Field Analytics and Media Server Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in SICK Field Analytics (all versions) and SICK Media Server (versions through 1.4). This issue allows an attacker to inject malicious JavaScript into dashboard widgets, which is executed when the widget receives data from its source. The vulnerability arises because the web application does not properly sanitize input before generating web pages, enabling the injection of harmful scripts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the dashboard.

Remediation

Users of SICK Media Server are strongly recommended to upgrade to version 1.5 or later. For SICK Field Analytics, ensure that only trusted entities have access to the device and apply general security measures to operate the product in a protected IT environment.