CVE-2020-7575 : What You Need to Know

A vulnerability has been identified in Climatix POL908 (BACnet/IP module) and Climatix POL909 (AWM module) that could allow an attacker to inject arbitrary JavaScript code via specially crafted GET requests.

Understanding CVE-2020-7575

This CVE involves a persistent cross-site scripting (XSS) vulnerability in the web server access log page of the affected devices.

What is CVE-2020-7575?

The vulnerability in Climatix POL908 and POL909 allows an attacker to compromise the confidentiality and integrity of other users' web sessions by injecting malicious JavaScript code.

The Impact of CVE-2020-7575

Attackers can execute arbitrary JavaScript code on the affected devices without requiring system privileges.
The security flaw could be exploited by an attacker with network access to the system.

Technical Details of CVE-2020-7575

This section provides more in-depth technical information about the vulnerability.

Vulnerability Description

The vulnerability is due to improper neutralization of script-related HTML tags in a web page, leading to a basic XSS attack.

Affected Systems and Versions

Climatix POL908 (BACnet/IP module): All versions
Climatix POL909 (AWM module): All versions < V11.32

Exploitation Mechanism

An attacker can inject malicious JavaScript code through specially crafted GET requests on the web server access log page.

Mitigation and Prevention

Protecting systems from CVE-2020-7575 requires immediate actions and long-term security practices.

Immediate Steps to Take

Apply vendor-supplied patches or updates to fix the vulnerability.
Monitor network traffic for any suspicious activities.

Long-Term Security Practices

Regularly update and patch all software and firmware to prevent vulnerabilities.
Implement network segmentation to limit the impact of potential attacks.

Patching and Updates

Siemens has provided a security advisory with patches to address the vulnerability.