CVE-2022-45137 – WAGO: Reflective Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-45137
The configuration backend of the web-based management is vulnerable to reflected XSS (Cross-Site Scripting) attacks that targets the users browser. This leads to a limited impact of confidentiality and integrity but no impact of availability. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-3738 – WAGO: Missing authentication for config export functionality in multiple products
https://notcve.org/view.php?id=CVE-2022-3738
The vulnerability allows a remote unauthenticated attacker to download a backup file, if one exists. That backup file might contain sensitive information like credentials and cryptographic material. A valid user has to create a backup after the last reboot for this attack to be successfull. La vulnerabilidad permite a un atacante remoto no autenticado descargar un archivo de copia de seguridad, si existe. Ese archivo de copia de seguridad puede contener información confidencial, como credenciales y material criptográfico. • https://cert.vde.com/en/advisories/VDE-2022-054 • CWE-306: Missing Authentication for Critical Function •