Cyber Resilience

CVE-2022-24039

Critical

Published: 10 May 2022

Published
10 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0205 84.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24039 is a critical-severity Special Element Injection (CWE-75) vulnerability in Siemens Desigo Pxc5 Firmware. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 15.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability has been identified in Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The “addCell” JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report…

more

document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator’s workstation.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

siemens
desigo pxc5 firmware
≤ 02.20.142.10-10884
siemens
desigo pxc4 firmware
≤ 02.20.142.10-10884

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References