CVE-2019-13538

Vulnerability

The vulnerability resides in the CODESYS V3 Library Manager component of the CODESYS Development System V3. All 32- and 64-bit versions prior to 3.5.16.0 are affected [1]. The system displays active library content without checking its validity, which is an improper neutralization of input during web page generation (Cross-site Scripting, CWE-79) [1]. The issue also exists for source libraries, though the vendor strongly recommends distributing compiled libraries only [1].

Exploitation

An attacker must convince a user to open a manipulated library file within the CODESYS Development System [1]. The attacker does not need authentication, but user interaction is required (the user must load the library) [1]. The attack vector is local, meaning the attacker needs to deliver the malicious library to the victim's system. The exploitation requires low skill level according to the advisory [1].

Impact

Successful exploitation allows the attacker's malicious content from the manipulated library to be displayed or executed within the context of the CODESYS Development System [1]. The impact is high on confidentiality, integrity, and availability (CVSS v3 base score 8.6) [1]. An attacker could potentially execute arbitrary code or steal sensitive data depending on the crafted library content.

## Mitigation 3S-Smart Software Solutions GmbH has released version 3.5.16.0 as a complete fix for this vulnerability in all affected CODESYS products [1]. Users should update to the latest version. Previous version 3.5.15.0 was an initial mitigation, but 3.5.16.0 fully resolves the issue [1]. Users should only load libraries from trusted sources and distribute compiled libraries instead of source libraries as a best practice [1].