Persistent cross-site scripting (XSS) vulnerabilities in Siemen’s Climatix POL908 and POL909 modules have been discovered by our Security Consultant, Ezequiel Fernandez. If exploited, this flaw would allow an attacker to execute arbitrary JavaScript code in the context of other users’ web sessions.
A few weeks ago, Siemens received the bug report from our Security Consultant and released specific workarounds and mitigations that customers can apply to reduce the risk: https://cert-portal.siemens.com/productcert/pdf/ssa-886514.pdf
Dreamlab Technologies invites organisations using these communication modules to apply Siemen’s recommendations as soon as possible and follow the recommended security practices in order to run the devices in a protected IT environment.
