Cross-site Scripting Vulnerability in Phoenix Contact FL SWITCH SMCS series products

Vulnerability

In Phoenix Contact FL SWITCH SMCS series products (multiple versions), an attacker can insert malicious code into the web-based management interface by sending specially crafted LLDP frames. The injected code is then executed by the client (e.g., a browser) when accessing the management interface. The vulnerability resides in the processing of LLDP frames by the switch's firmware, which does not properly sanitize the data before storing it for display in the web interface.

Exploitation

An attacker with network access to the switch can send a malicious LLDP frame. No authentication is required to send LLDP frames. The switch processes the frame and stores the injected code. When a legitimate user accesses the web-based management interface, the malicious code is executed in the context of the user's browser. The attack does not require user interaction beyond normal browsing of the management interface.

Impact

Successful exploitation allows the attacker to execute arbitrary code in the client's browser. This can lead to session hijacking, data theft, or further compromise of the management session. The impact is limited to the client side; the switch itself is not directly compromised, but the attacker can gain access to the management session and potentially perform actions on behalf of the authenticated user.

Mitigation

As of the publication date (2021-06-25), no specific mitigation details are provided in the available references. Users should consult the vendor advisory [1] for updated firmware versions or workarounds. If no patch is available, network segmentation and restricting access to the management interface can reduce exposure.