CVE-2017-13754
Description
Cross-site scripting (XSS) vulnerability in the "advanced settings - time server" module in Wibu-Systems CodeMeter before 6.50b allows remote attackers to inject arbitrary web script or HTML via the "server name" field in actions/ChangeConfiguration.html.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A persistent XSS vulnerability in CodeMeter WebAdmin allows remote attackers to inject arbitrary HTML/JS via the time server name field.
Vulnerability
A persistent cross-site scripting (XSS) vulnerability exists in the "advanced settings - time server" module of Wibu-Systems CodeMeter WebAdmin before version 6.50b [1][2]. The server name field in actions/ChangeConfiguration.html does not properly sanitize user-supplied input, allowing an attacker to inject arbitrary web script or HTML [1][2]. The affected products include CodeMeter versions prior to 6.50b and any product that bundles that version, such as Rockwell Automation FactoryTalk Activation Manager v4.00 and v4.01 [3].
Exploitation
An attacker must have access to the CodeMeter WebAdmin interface and be able to modify the "advanced settings - time server" configuration [1][2]. The attack does not require authentication; any remote user who can reach the web interface can fill the server name field with a malicious payload (e.g., ``) and save it [1][2]. The payload is then stored on the server and executed in the browsers of administrators who subsequently view the configuration page [1][2]. No special privileges or user interaction beyond visiting the page is required for the stored script to execute.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript or HTML in the context of the affected application [1][2]. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is confined to the WebAdmin interface, but an administrator who is tricked into viewing the compromised page may have their session tokens or administrative actions exposed to the attacker [1][2]. The CVSS v3 score for this vulnerability is 5.4 (Medium) [3].
Mitigation
The vendor, Wibu-Systems AG, released a fix in CodeMeter version 6.50b [1][2][3]. Users should upgrade to CodeMeter 6.50b or later. Organizations using Rockwell Automation FactoryTalk Activation Manager are advised to update that software to versions that include the patched CodeMeter library [3]. No workarounds are documented in the available references; blocking access to the WebAdmin interface at the network perimeter may partially mitigate the risk if management access is restricted to trusted hosts.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input neutralization in the "server name" field of the time server configuration module allows stored cross-site scripting."
Attack vector
An attacker with authenticated access to the CodeMeter WebAdmin interface can inject arbitrary web script or HTML into the "server name" field of the "advanced settings - time server" module [ref_id=1][ref_id=2][ref_id=3]. The payload is stored and executed when other users view the affected configuration page, resulting in a persistent (stored) cross-site scripting attack [CWE-79]. The CVSS vector indicates the attack requires low-privilege authentication and user interaction (e.g., clicking a link) to trigger the payload in the victim's browser.
Affected code
The vulnerability resides in the "advanced settings - time server" module of the CodeMeter WebAdmin application, specifically in the file `actions/ChangeConfiguration.html` [ref_id=1][ref_id=2][ref_id=3]. The "server name" field in that module does not sanitize user-supplied input before rendering it in the web interface [CWE-79].
What the fix does
The vendor (Wibu Systems AG) released a fix on 2017-08-01, updating CodeMeter to version 6.50b [ref_id=1][ref_id=2][ref_id=3]. The patch addresses the missing input neutralization in the "server name" field of the time server configuration module [CWE-79]. No patch diff is available in the bundle, but the advisory confirms the vendor resolved the issue by properly sanitizing or escaping user input before rendering it in the web page.
Preconditions
- authAttacker must have authenticated access to the CodeMeter WebAdmin interface
- inputThe victim must view the affected 'advanced settings - time server' configuration page after the payload is stored
Reproduction
1. Log in to the CodeMeter WebAdmin interface. 2. Navigate to the "advanced settings - time server" module. 3. In the "server name" field, enter a payload such as `"><script>alert(1)</script>`. 4. Save the configuration. 5. When any user (including the attacker) views the time server configuration page, the injected script executes in the context of the victim's browser session [ref_id=1][ref_id=2][ref_id=3].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- seclists.org/fulldisclosure/2017/Sep/1nvdExploitMailing ListThird Party Advisory
- www.exploit-db.com/exploits/42610/nvdExploitThird Party AdvisoryVDB Entry
- www.vulnerability-lab.com/get_content.phpnvdExploitThird Party Advisory
- www.securityfocus.com/archive/1/541119/100/0/threadednvd
- www.securityfocus.com/bid/104433nvd
- ics-cert.us-cert.gov/advisories/ICSA-18-102-02nvd
- rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133nvd
News mentions
0No linked articles in our index yet.