OTPulse
FeedAboutContact

Cross-site scripting Vulnerability in Teamcenter Active Workspace

Monitor6.1SSA-401167Jun 14, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Teamcenter Active Workspace contains a cross-site scripting (XSS) vulnerability that allows an attacker to inject malicious JavaScript code. Affected versions: V5.2 before 5.2.9 and V6.0 before 6.0.3. Siemens has released patched versions addressing this issue.

What this means
What could happen
An attacker could inject malicious script into Teamcenter Active Workspace to steal user session data or credentials from engineering workstations. This could compromise access to product lifecycle management systems that control design documentation and manufacturing data.
Who's at risk
Engineering teams and manufacturing organizations using Teamcenter Active Workspace for product lifecycle management, design collaboration, and manufacturing data control. Particularly relevant for discrete manufacturing, automotive, and heavy equipment companies where product data security is critical.
How it could be exploited
An attacker crafts a malicious URL or embeds JavaScript in a Teamcenter Active Workspace page. When an engineer clicks the link or views the page, the script executes in their browser with their session privileges, allowing credential theft or session hijacking.
Prerequisites
  • User must click a malicious link or visit an attacker-controlled page that injects the payload
  • Vulnerable version of Teamcenter Active Workspace must be in use (V5.2 < 5.2.9 or V6.0 < 6.0.3)
remotely exploitableuser interaction required (click)low complexity exploit
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Teamcenter Active Workspace V5.2< V5.2.95.2.9
Teamcenter Active Workspace V6.0< V6.0.36.0.3
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Teamcenter Active Workspace V5.2
HOTFIXUpdate Teamcenter Active Workspace V5.2 to version 5.2.9 or later
Teamcenter Active Workspace V6.0
HOTFIXUpdate Teamcenter Active Workspace V6.0 to version 6.0.3 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/b03664e3-8980-44e1-9ca8-3f4f6efbe498