SICK Enterprise and Logistic Analytics Products Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in SICK Enterprise Analytics and SICK Logistic Analytics products. This issue allows JavaScript to be executed from the address bar by using the 'Open in new Tab' button on the dashboard, potentially leading to session hijacking.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's session.

Reproduction

To reproduce this vulnerability, navigate to the SICK Enterprise Analytics or SICK Logistic Analytics dashboard. Use the 'Open in new Tab' button, which will trigger the vulnerability by executing JavaScript from the address bar.

Remediation

It is recommended to ensure that only trusted entities have access to the device. Additionally, apply general security measures when operating the product. Resources such as the 'SICK Operating Guidelines' and 'ICS-CERT recommended practices on Industrial Security' can assist in implementing these practices.