Phoenix Contact released new firmware to fix a cross-site scripting vulnerability in its FL COMSERVER, FL COM SERVER, and PSI-MODEM/ETH products, according to a report with ICS-CERT.
Successful exploitation of this remotely exploitable vulnerability, discovered by Maxim Rupp, may allow a remote attacker to change configuration variables on the device.
The following models running firmware versions prior to 1.99, 2.20, or 2.40 of FL COMSERVER, FL COM SERVER, and PSI-MODEM/ETH, industrial networking equipment, suffer from the issue:
• FL COMSERVER BASIC 232/422/485
• FL COMSERVER UNI 232/422/485
• FL COMSERVER BAS 232/422/485-T
• FL COMSERVER UNI 232/422/485-T
• FL COM SERVER RS232
• FL COM SERVER RS485
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
The cross-site scripting vulnerability has been identified, which may allow remote code execution.
CVE-2017-16723 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.2.
The products see use in the communications, critical manufacturing and information technology sectors. They also see action on a global basis.
Germany-based Phoenix Contact released new firmware versions for the affected devices. Click here for the latest download links.