Tridium has new software to mitigate a cross-site scripting vulnerability in its Niagara Enterprise Security, Niagara AX, and Niagara 4, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability, discovered by Daniel Santos and Elisa Costante of SecurityMatters, could allow an authenticated user to inject client-side scripts into some web pages that could then be viewed by other users.
The following Tridium products are affected:
• Niagara Enterprise Security 2.3u1, all versions prior to 184.108.40.206
• Niagara AX 3.8u4, all versions prior to 3.8.401.1
• Niagara 4.4u2, all versions prior to 220.127.116.11.2
• Niagara 4.6, all versions prior to 18.104.22.168.4
In this issue, a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.
CVE-2018-18985 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.7.
The product sees use in in commercial facilities, critical manufacturing, government facilities, and information technology sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Tridium recommends affected users upgrade to the latest versions of the software (login required).
Niagara Enterprise security 2.3u1 Version 22.214.171.124
Niagara AX 3.8u4 Version 3.8.401.1
Niagara 4.4u2 Version 126.96.36.199.2
Niagara 4.6 Version 188.8.131.52.4
For more information \ see Tridium’s security bulletin SB 2018-Tridium-2.