CVE-2022-29882

Vulnerability

CVE-2022-29882 is a stored cross-site scripting (XSS) vulnerability in the web interface of Siemens SICAM T devices (all versions prior to V3.0) [2]. The affected devices do not properly handle uploaded files, allowing an unauthenticated attacker to inject malicious scripts that are stored on the server. The injected script is executed when a legitimate user accesses the error logs of the device [2].

Exploitation

An unauthenticated attacker with network access to the SICAM T web interface can craft an upload containing malicious JavaScript. The attacker does not need any prior authentication or special privileges. No user interaction is required for the upload itself, but the XSS payload executes only when a victim user visits the error log page [2]. The attack does not rely on a race condition or specific timing.

Impact

Successful exploitation allows the attacker to perform arbitrary actions in the context of the victim user's session on the SICAM T device. This can lead to information disclosure, unintended configuration changes, or other actions the victim user is authorized to perform [2]. The CVSS v3.1 base score is 9.9 (Critical) [2].

Mitigation

Siemens has released version V3.00 of SICAM T which fixes this vulnerability [2]. Users should update to V3.00 or later as soon as possible. As a workaround, restrict access to port 443/tcp to trusted IP addresses only, and advise users not to access links from untrusted sources while logged into SICAM T [2].