{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "publisher": { "category": "vendor", "name": "Softing Industrial Automation GmbH", "namespace": "https://industrial.softing.com", "contact_details": "Softing PSIRT - contact us at psirt@softing.com" }, "title": "Multiple vulnerabilities in smartLink SW-HT", "tracking": { "current_release_date": "2023-03-27T10:00:00.000Z", "id": "SYT-2022-11", "initial_release_date": "2022-12-29T11:00:00.000Z", "revision_history": [ { "date": "2022-12-29T11:00:00.000Z", "number": "1.0.0", "summary": "Initial version" }, { "number": "2.0.0", "date": "2023-03-27T10:00:00.000Z", "summary": "Update with smartLink SW-HT V1.30" } ], "status": "final", "version": "2.0.0", "generator": { "date": "2023-03-27T10:00:00.000Z", "engine": { "version": "2.0.0", "name": "Secvisogram" } } }, "source_lang": "en-US", "aggregate_severity": { "text": "high" }, "notes": [ { "category": "legal_disclaimer", "text": "The information provided in this disclosure is provided \"as is\" without warranty of any kind.\nSofting disclaims all warranties, either express or implied, including the warranties of\nmerchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be\nliable for any damages whatsoever including direct, indirect, incidental, consequential, loss of\nbusiness profits or special damages, even if Softing or its suppliers have been advised of the\npossibility of such damages.\nSome states do not allow the exclusion or limitation of liability for consequential or incidental\ndamages so the foregoing limitation may not apply.\n", "title": "Disclaimer" } ] }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-0100", "name": "Softing smartLink SW-HT V1.30" } ], "branches": [ { "category": "product_version_range", "name": "Softing smartLink SW-HT <= V1.20", "product": { "product_id": "CSAFPID-0001", "name": "Softing smartLink SW-HT <= V1.20" } } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-0001" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH" } } ], "product_status": { "known_affected": [ "CSAFPID-0001" ], "fixed": [ "CSAFPID-0100" ] }, "notes": [ { "category": "summary", "text": "Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application." } ], "discovery_date": "2022-09-02T10:00:00.000Z", "cwe": { "id": "CWE-83", "name": "Improper Neutralization of Script in Attributes in a Web Page" }, "ids": [ { "system_name": "Softing isssue id", "text": "2022-17" } ], "title": "2022-17", "acknowledgments": [ { "names": [ "Anthony Goyette" ], "organization": "from Chevron" } ], "cve": "CVE-2022-48192" }, { "cwe": { "id": "CWE-326", "name": "Inadequate Encryption Strength" }, "discovery_date": "2022-11-29T11:00:00.000Z", "ids": [ { "system_name": "Softing isssue id", "text": "2022-18" } ], "notes": [ { "category": "summary", "text": "Weak ciphers are enabled during secure communication (SSL)." } ], "product_status": { "known_affected": [ "CSAFPID-0001" ], "fixed": [ "CSAFPID-0100" ] }, "scores": [ { "products": [ "CSAFPID-0001" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE" } } ], "acknowledgments": [ { "names": [ "Anthony Goyette" ], "organization": "from Chevron" } ], "title": "2022-18", "cve": "CVE-2022-48193" } ] }