CVE-2022-29876

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the web interface of SICAM T devices running versions prior to V3.0. The affected endpoint does not properly sanitize a GET request parameter, and the provided argument is directly reflected in the HTTP response without encoding. This allows an attacker to inject arbitrary HTML and JavaScript into the page. The vulnerability is present in all versions of SICAM T before V3.0 [2].

Exploitation

An unauthenticated attacker can craft a malicious URL containing a GET parameter with embedded JavaScript. The attacker must then trick a victim into clicking the link (e.g., via phishing or social engineering). No authentication or prior access to the device is required. The victim's browser executes the injected script in the context of the SICAM T web interface [2].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of sensitive data, defacement of the web interface, or redirection to malicious sites. The attack is limited to the browser session of the victim and does not directly compromise the device itself, but it can be used to perform actions on behalf of an authenticated user if the victim is logged in [2].

Mitigation

Siemens has released SICAM T V3.0 which fixes this vulnerability. Users should update to V3.0 or later. As interim mitigations, restrict access to port 443/tcp to trusted IP addresses only, and advise users not to click links from untrusted sources while logged into the SICAM T web interface [2].