CVE-2025-49191

{"id": "CVE-2025-49191", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@sick.de", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-06-12T14:15:31.690", "references": [{"url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF", "tags": ["Broken Link"], "source": "psirt@sick.de"}, {"url": "https://sick.com/psirt", "tags": ["Vendor Advisory"], "source": "psirt@sick.de"}, {"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices", "tags": ["US Government Resource"], "source": "psirt@sick.de"}, {"url": "https://www.first.org/cvss/calculator/3.1", "tags": ["Not Applicable"], "source": "psirt@sick.de"}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json", "tags": ["Vendor Advisory"], "source": "psirt@sick.de"}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf", "tags": ["Vendor Advisory"], "source": "psirt@sick.de"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@sick.de", "description": [{"lang": "en", "value": "CWE-1021"}]}], "descriptions": [{"lang": "en", "value": "Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets."}, {"lang": "es", "value": "Las URL vinculadas durante la creaci\u00f3n de widgets iFrame y paneles son vulnerables a la ejecuci\u00f3n de c\u00f3digo. Estas URL se incrustan como widgets iFrame, lo que permite atacar a otros usuarios que acceden al panel mediante la inclusi\u00f3n de c\u00f3digo malicioso. El ataque solo es posible si el atacante est\u00e1 autorizado a crear nuevos paneles o widgets iFrame."}], "lastModified": "2026-01-29T17:31:53.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sick:field_analytics:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62EE84A7-E93D-411E-A6FC-4BEE5F4CD16D"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@sick.de"}