Skip to main content

Codesys CVE-2019-13538

HIGH
Cross-site Scripting (XSS) (CWE-79)
2019-09-17 ics-cert@hq.dhs.gov
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 17, 2019 - 20:15 nvd
HIGH 8.6

DescriptionNVD

3S-Smart Software Solutions GmbH CODESYS V3 Library Manager, all versions prior to 3.5.16.0, allows the system to display active library content without checking its validity, which may allow the contents of manipulated libraries to be displayed or executed. The issue also exists for source libraries, but 3S-Smart Software Solutions GmbH strongly recommends distributing compiled libraries only.

AnalysisAI

3S-Smart Software Solutions GmbH CODESYS V3 Library Manager, all versions prior to 3.5.16.0, allows the system to display active library content without checking its validity, which may allow the. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. 3S-Smart Software Solutions GmbH CODESYS V3 Library Manager, all versions prior to 3.5.16.0, allows the system to display active library content without checking its validity, which may allow the contents of manipulated libraries to be displayed or executed. The issue also exists for source libraries, but 3S-Smart Software Solutions GmbH strongly recommends distributing compiled libraries only. Affected products include: Codesys. Version information: prior to 3.5.16.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2021-34584 CRITICAL POC
9.1 Oct 26

Crafted web server requests can be utilised to read partial stack or heap memory or may trigger a denial-of- service con

CVE-2021-21869 HIGH POC
7.8 Aug 25

An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODE

CVE-2021-21868 HIGH POC
7.8 Aug 18

An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of C

CVE-2021-21867 HIGH POC
7.8 Aug 18

An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality o

CVE-2021-34586 HIGH POC
7.5 Oct 26

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests may cause a Null pointer dereference in the

CVE-2021-34585 HIGH POC
7.5 Oct 26

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests can trigger a parser error. Rated high sever

CVE-2021-34583 HIGH POC
7.5 Oct 26

Crafted web server requests may cause a heap-based buffer overflow and could therefore trigger a denial-of- service cond

CVE-2019-16265 CRITICAL
9.8 Oct 25

CODESYS V2.3 ENI server up to V3.2.2.24 has a Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-34595 HIGH
8.1 Oct 26

A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32

CVE-2025-41700 HIGH
7.8 Dec 01

An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated C

CVE-2021-34596 MEDIUM
6.5 Oct 26

A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCW

Share

CVE-2019-13538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy