VDE-2023-017
Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2023-08-08 04:00 - Updated: 2025-05-22 13:03Summary
Phoenix Contact: Multiple vulnerabilities in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices
Notes
Summary: Two vulnerabilities have been discovered in the firmware of TC ROUTER and TC CLOUD CLIENT devices.
Update A, 2024-08-12
Added a summary text
Added details to impact
Impact: CVE-2023-3526
An attacker could embed a link on a page controlled by him that includes malicious scripts and points to the license viewer page. These scripts are executed in a victim's browser when they open the page containing the vulnerable field.
CVE-2023-3569
An authenticated attacker could use the file upload function to upload a crafted XML to cause a denial of service.
Mitigation: Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.
Measures to protect network-capable devices with Ethernet connection
Remediation: Phoenix Contact strongly recommends updating to the latest available firmware version, which fixes these vulnerabilities.
In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user's browser.
9.6 (Critical)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Phoenix Contact strongly recommends updating to the latest available firmware version, which fixes these vulnerabilities.
In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an authenticated remote attacker with admin privileges could upload a crafted XML file which causes a denial-of-service.
4.9 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Phoenix Contact strongly recommends updating to the latest available firmware version, which fixes these vulnerabilities.
References
Acknowledgments
CERT@VDE
certvde.com
St. Pölten UAS
A. Resanovic
S. Stockinger
CyberDanube Security Research
T. Weber
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"A. Resanovic",
"S. Stockinger"
],
"organization": "St. P\u00f6lten UAS",
"summary": "discovering"
},
{
"names": [
"T. Weber"
],
"organization": "CyberDanube Security Research",
"summary": "discovering"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Two vulnerabilities have been discovered in the firmware of TC ROUTER and TC CLOUD CLIENT devices.\n\nUpdate A, 2024-08-12\n\nAdded a summary text\nAdded details to impact",
"title": "Summary"
},
{
"category": "description",
"text": "CVE-2023-3526\n\nAn attacker could embed a link on a page controlled by him that includes malicious scripts and points to the license viewer page. These scripts are executed in a victim\u0027s browser when they open the page containing the vulnerable field.\n\nCVE-2023-3569\n\nAn authenticated attacker could use the file upload function to upload a crafted XML to cause a denial of service.",
"title": "Impact"
},
{
"category": "description",
"text": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.\nMeasures to protect network-capable devices with Ethernet connection",
"title": "Mitigation"
},
{
"category": "description",
"text": "Phoenix Contact strongly recommends updating to the latest available firmware version, which fixes these vulnerabilities.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@phoenixcontact.com",
"name": "Phoenix Contact GmbH \u0026 Co. KG",
"namespace": "https://phoenixcontact.com/psirt"
},
"references": [
{
"category": "self",
"summary": "VDE-2023-017: Phoenix Contact: Multiple vulnerabilities in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices - HTML",
"url": "https://certvde.com/en/advisories/VDE-2023-017/"
},
{
"category": "self",
"summary": "VDE-2023-017: Phoenix Contact: Multiple vulnerabilities in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices - CSAF",
"url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-017.json"
},
{
"category": "external",
"summary": "Vendor PSIRT",
"url": "https://phoenixcontact.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Phoenix Contact GmbH \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
}
],
"title": "Phoenix Contact: Multiple vulnerabilities in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices",
"tracking": {
"aliases": [
"VDE-2023-017"
],
"current_release_date": "2025-05-22T13:03:10.000Z",
"generator": {
"date": "2025-04-14T07:36:10.253Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.23"
}
},
"id": "VDE-2023-017",
"initial_release_date": "2023-08-08T04:00:00.000Z",
"revision_history": [
{
"date": "2023-08-08T04:00:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2024-08-12T10:00:00.000Z",
"number": "2",
"summary": "Update A"
},
{
"date": "2025-05-22T13:03:10.000Z",
"number": "3",
"summary": "Fix: quotation mark"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CLOUD CLIENT 1101T-TX/TX",
"product": {
"name": "CLOUD CLIENT 1101T-TX/TX",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"1221706"
]
}
}
},
{
"category": "product_name",
"name": "TC CLOUD CLIENT 1002-4G",
"product": {
"name": "TC CLOUD CLIENT 1002-4G",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"2702886"
]
}
}
},
{
"category": "product_name",
"name": "TC CLOUD CLIENT 1002-4G ATT",
"product": {
"name": "TC CLOUD CLIENT 1002-4G ATT",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"2702888"
]
}
}
},
{
"category": "product_name",
"name": "TC CLOUD CLIENT 1002-4G VZW",
"product": {
"name": "TC CLOUD CLIENT 1002-4G VZW",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"2702887"
]
}
}
},
{
"category": "product_name",
"name": "TC ROUTER 3002T-4G",
"product": {
"name": "TC ROUTER 3002T-4G",
"product_id": "CSAFPID-11005",
"product_identification_helper": {
"model_numbers": [
"2702528"
]
}
}
},
{
"category": "product_name",
"name": "TC ROUTER 3002T-4G ATT",
"product": {
"name": "TC ROUTER 3002T-4G ATT",
"product_id": "CSAFPID-11006",
"product_identification_helper": {
"model_numbers": [
"2702533"
]
}
}
},
{
"category": "product_name",
"name": "TC ROUTER 3002T-4G VZW",
"product": {
"name": "TC ROUTER 3002T-4G VZW",
"product_id": "CSAFPID-11007",
"product_identification_helper": {
"model_numbers": [
"2702532"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.06.10",
"product": {
"name": "Firmware \u003c2.06.10",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version_range",
"name": "\u003c2.07.2",
"product": {
"name": "Firmware \u003c2.07.2",
"product_id": "CSAFPID-21002"
}
},
{
"category": "product_version",
"name": "2.06.10",
"product": {
"name": "Firmware 2.06.10",
"product_id": "CSAFPID-22001"
}
},
{
"category": "product_version",
"name": "2.07.2",
"product": {
"name": "Firmware 2.07.2",
"product_id": "CSAFPID-22002"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "Phoenix Contact"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2.06.10 installed on CLOUD CLIENT 1101T-TX/TX",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2.07.2 installed on TC CLOUD CLIENT 1002-4G",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2.07.2 installed on TC CLOUD CLIENT 1002-4G ATT",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2.07.2 installed on TC CLOUD CLIENT 1002-4G VZW",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2.07.2 installed on TC ROUTER 3002T-4G",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2.07.2 installed on TC ROUTER 3002T-4G ATT",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2.07.2 installed on TC ROUTER 3002T-4G VZW",
"product_id": "CSAFPID-31007"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2.06.10 installed on CLOUD CLIENT 1101T-TX/TX",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2.07.2 installed on TC CLOUD CLIENT 1002-4G",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2.07.2 installed on TC CLOUD CLIENT 1002-4G ATT",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2.07.2 installed on TC CLOUD CLIENT 1002-4G VZW",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2.07.2 installed on TC ROUTER 3002T-4G",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2.07.2 installed on TC ROUTER 3002T-4G ATT",
"product_id": "CSAFPID-32006"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2.07.2 installed on TC ROUTER 3002T-4G VZW",
"product_id": "CSAFPID-32007"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11007"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-3526",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "description",
"text": "In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user\u0027s browser.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Phoenix Contact strongly recommends updating to the latest available firmware version, which fixes these vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.7,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 9.6,
"temporalSeverity": "CRITICAL",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
}
],
"title": "CVE-2023-3526"
},
{
"cve": "CVE-2023-3569",
"cwe": {
"id": "CWE-776",
"name": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)"
},
"notes": [
{
"category": "description",
"text": "In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an authenticated remote attacker with admin privileges could upload a crafted XML file which causes a denial-of-service.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Phoenix Contact strongly recommends updating to the latest available firmware version, which fixes these vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 4.9,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"temporalScore": 4.9,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007"
]
}
],
"title": "CVE-2023-3569"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…