Your one-stop web resource providing safety and security information to manufacturers

Tridium has new software to mitigate a cross-site scripting vulnerability in its Niagara Enterprise Security, Niagara AX, and Niagara 4, according to a report with NCCIC.

Successful exploitation of this remotely exploitable vulnerability, discovered by Daniel Santos and Elisa Costante of SecurityMatters, could allow an authenticated user to inject client-side scripts into some web pages that could then be viewed by other users.

RELATED STORIES
Pilz Fixes PNOZmulti Configurator Issue
Omron Clears CX-One CX-Protocol Hole
Emerson Patches DeltaV Hole
Schneider Clears IIoT Monitor Holes

The following Tridium products are affected:
• Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6
• Niagara AX 3.8u4, all versions prior to 3.8.401.1
• Niagara 4.4u2, all versions prior to 4.4.93.40.2
• Niagara 4.6, all versions prior to 4.6.96.28.4

In this issue, a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.

Cyber Security

CVE-2018-18985 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.7.

The product sees use in in commercial facilities, critical manufacturing, government facilities, and information technology sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

Tridium recommends affected users upgrade to the latest versions of the software (login required).

Niagara Enterprise security 2.3u1 Version 2.3.118.6

Niagara AX 3.8u4 Version 3.8.401.1

Niagara 4.4u2 Version 4.4.93.40.2

Niagara 4.6 Version 4.6.96.28.4

For more information \ see Tridium’s security bulletin SB 2018-Tridium-2.

Pin It on Pinterest

Share This