CVE-2025-27455 (GCVE-0-2025-27455)

Vulnerability from cvelistv5 – Published: 2025-07-03 11:30 – Updated: 2025-07-03 13:15
VLAI?
Summary
The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE
  • CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
https://www.endress.com x_Endress+Hauser
https://sick.com/psirt x_SICK PSIRT Security Advisories
https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
https://www.sick.com/.well-known/csaf/white/2025/… x_The canonical URL.
https://sick.com/psirt vendor-advisory
https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
Impacted products
Vendor Product Version
Endress+Hauser Endress+Hauser MEAC300-FNADE4 Affected: 0 , ≤ <=0.16.0 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27455",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-03T12:59:47.844638Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-03T13:15:59.115Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Endress+Hauser MEAC300-FNADE4",
          "vendor": "Endress+Hauser",
          "versions": [
            {
              "lessThanOrEqual": "\u003c=0.16.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Endress+Hauser MEAC300-FNADE4",
          "vendor": "Endress+Hauser",
          "versions": [
            {
              "status": "unaffected",
              "version": "\u003e=0.17.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects.\u003c/p\u003e"
            }
          ],
          "value": "The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalScore": 4.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 4.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1021",
              "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-03T11:30:49.265Z",
        "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "shortName": "SICK AG"
      },
      "references": [
        {
          "tags": [
            "x_Endress+Hauser"
          ],
          "url": "https://www.endress.com"
        },
        {
          "tags": [
            "x_SICK PSIRT Security Advisories"
          ],
          "url": "https://sick.com/psirt"
        },
        {
          "tags": [
            "x_ICS-CERT recommended practices on Industrial Security"
          ],
          "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
        },
        {
          "tags": [
            "x_CVSS v3.1 Calculator"
          ],
          "url": "https://www.first.org/cvss/calculator/3.1"
        },
        {
          "tags": [
            "x_The canonical URL."
          ],
          "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://sick.com/psirt"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eCustomers are strongly advised to update to the newest version.\u003c/p\u003e"
            }
          ],
          "value": "Customers are strongly advised to update to the newest version."
        }
      ],
      "source": {
        "advisory": "SCA-2025-0008",
        "discovery": "INTERNAL"
      },
      "title": "CVE-2025-27455",
      "x_generator": {
        "engine": "csaf2cve 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
    "assignerShortName": "SICK AG",
    "cveId": "CVE-2025-27455",
    "datePublished": "2025-07-03T11:30:49.265Z",
    "dateReserved": "2025-02-26T08:39:58.980Z",
    "dateUpdated": "2025-07-03T13:15:59.115Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-27455\",\"sourceIdentifier\":\"psirt@sick.de\",\"published\":\"2025-07-03T12:15:23.520\",\"lastModified\":\"2025-07-03T15:13:53.147\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects.\"},{\"lang\":\"es\",\"value\":\"La aplicaci\u00f3n web es vulnerable a ataques de clickjacking. El sitio puede estar incrustado en otro frame, lo que permite a un atacante enga\u00f1ar al usuario para que haga clic en algo distinto a lo que percibe, lo que podr\u00eda revelar informaci\u00f3n confidencial o permitir que otros tomen el control de su ordenador mientras hacen clic en objetos aparentemente inofensivos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@sick.de\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@sick.de\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1021\"}]}],\"references\":[{\"url\":\"https://sick.com/psirt\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://sick.com/psirt\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://www.cisa.gov/resources-tools/resources/ics-recommended-practices\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://www.endress.com\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://www.first.org/cvss/calculator/3.1\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf\",\"source\":\"psirt@sick.de\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27455\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-03T12:59:47.844638Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-03T13:04:17.287Z\"}}], \"cna\": {\"title\": \"CVE-2025-27455\", \"source\": {\"advisory\": \"SCA-2025-0008\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\", \"temporalScore\": 4.3, \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"temporalSeverity\": \"MEDIUM\", \"availabilityImpact\": \"NONE\", \"environmentalScore\": 4.3, \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"environmentalSeverity\": \"MEDIUM\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Endress+Hauser\", \"product\": \"Endress+Hauser MEAC300-FNADE4\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"\u003c=0.16.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Endress+Hauser\", \"product\": \"Endress+Hauser MEAC300-FNADE4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"\u003e=0.17.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Customers are strongly advised to update to the newest version.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eCustomers are strongly advised to update to the newest version.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.endress.com\", \"tags\": [\"x_Endress+Hauser\"]}, {\"url\": \"https://sick.com/psirt\", \"tags\": [\"x_SICK PSIRT Security Advisories\"]}, {\"url\": \"https://www.cisa.gov/resources-tools/resources/ics-recommended-practices\", \"tags\": [\"x_ICS-CERT recommended practices on Industrial Security\"]}, {\"url\": \"https://www.first.org/cvss/calculator/3.1\", \"tags\": [\"x_CVSS v3.1 Calculator\"]}, {\"url\": \"https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json\", \"tags\": [\"x_The canonical URL.\"]}, {\"url\": \"https://sick.com/psirt\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"csaf2cve 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1021\", \"description\": \"CWE-1021 Improper Restriction of Rendered UI Layers or Frames\"}]}], \"providerMetadata\": {\"orgId\": \"a6863dd2-93fc-443d-bef1-79f0b5020988\", \"shortName\": \"SICK AG\", \"dateUpdated\": \"2025-07-03T11:30:49.265Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-27455\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-03T13:15:59.115Z\", \"dateReserved\": \"2025-02-26T08:39:58.980Z\", \"assignerOrgId\": \"a6863dd2-93fc-443d-bef1-79f0b5020988\", \"datePublished\": \"2025-07-03T11:30:49.265Z\", \"assignerShortName\": \"SICK AG\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.