ГлавнаяУязвимости → CVE-2025-41746
7.1высокая

CVE-2025-41746

Описание

An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

Затрагиваемое ПО
Phoenixcontact Fl switch 2406-2sfx pn firmwarePhoenixcontact Fl switch 2406-2sfx pnPhoenixcontact Fl switch 2408 firmwarePhoenixcontact Fl switch 2408Phoenixcontact Fl switch 2408 pn firmwarePhoenixcontact Fl switch 2408 pnPhoenixcontact Fl switch 2412-2tc-2sfx firmwarePhoenixcontact Fl switch 2412-2tc-2sfxPhoenixcontact Fl switch 2414-2sfx firmwarePhoenixcontact Fl switch 2414-2sfxPhoenixcontact Fl switch 2414-2sfx pn firmwarePhoenixcontact Fl switch 2414-2sfx pnPhoenixcontact Fl switch 2416 firmwarePhoenixcontact Fl switch 2416Phoenixcontact Fl switch 2416 pn firmwarePhoenixcontact Fl switch 2416 pnPhoenixcontact Fl switch 2504-2gc-2sfp firmwarePhoenixcontact Fl switch 2504-2gc-2sfpPhoenixcontact Fl switch 2506-2sfp firmwarePhoenixcontact Fl switch 2506-2sfpPhoenixcontact Fl switch 2506-2sfp\/k1 firmwarePhoenixcontact Fl switch 2506-2sfp\/k1Phoenixcontact Fl switch 2506-2sfp pn firmwarePhoenixcontact Fl switch 2506-2sfp pnPhoenixcontact Fl switch 2508 firmware
CVSS
Балл7.1 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Источники
https://certvde.com/de/advisories/VDE-2025-071