Description
An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting').
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- Beckhoff Automation / TF2000-HMI-Server0.0.0 – 14.4.267
- Beckhoff Automation / TwinCAT.HMI.Server0.0.0 – 14.4.267
References
- VENDOR_ADVISORYhttps://certvde.com/de/advisories/VDE-2025-106