La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2021-29661

CVE-2021-29661 – Softing AG OPC Toolbox

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) - CWE-79
Software Version: Softing AG OPC Toolbox v4.10.1.13035
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-29661
CVSv3: 5.4
Severity: Medium
Credits
: Gianni Palombizio, Michele Cisternino, Stefano Scipioni, Massimiliano Brolli

Softing AG OPC Toolbox version 4.10.1.13035 allows /en/diag_values.html Stored XSS on ITEMLISTVALUES##ITEMID parameter. A malicious user leveraging this vulnerability could inject arbitrary JavaScript into the trace file. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

CVE-2021-29661-1

After logging in to the application with a valid user, the full request is shown on the left

Figure 1: Full HTTP request

Click here to enlarge the image

CVE-2021-29661-2

The malicious payload is: “><script>alert(‘XSS’)</script>

The JavaScript code is executed when the victim user navigates the tab “Diagnostic/Trace”fff

Figure 2: XSS on response page

Click here to enlarge the image