Opcenter/TIA Portal UMC WebUI CORS Overpermissiveness ( V18 Update 3)
CVE-2023-46281 Published on December 12, 2023
A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). When accessing the UMC Web-UI from affected products, UMC uses an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.
Weakness Type
Permissive Cross-domain Policy with Untrusted Domains
The software uses a cross-domain policy file that includes domains that should not be trusted.
Products Associated with CVE-2023-46281
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-46281 are published in these products:
Affected Versions
Siemens Opcenter Execution Foundation:- Before V2407 is affected.
- Before V2312 is affected.
- Before V4.1 is affected.
- Before V2.0 SP1 is affected.
- Before * is affected.
- Before * is affected.
- Before * is affected.
- Before V17 Update 8 is affected.
- Before V18 Update 3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.