CVE-2023-2746
Last modified
CVE-2023-2746 is a critical-severity vulnerability rated 9.6/10 on the CVSS scale. The Rockwell Automation Enhanced HIM software contains an API that the application uses that is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
The Rockwell Automation Enhanced HIM software contains an API that the application uses that is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Rockwellautomation | Enhanced Him | 1.001 |
References
- https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139760Permissions Required, Vendor Advisory
- https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139760Permissions Required, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-2746?
How severe is CVE-2023-2746?
How do I fix CVE-2023-2746?
Are you affected by CVE-2023-2746?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST