Search

Find a vulnerability

Search criteria

    18 vulnerabilities found for SICK Field Analytics by SICK AG

    CVE-2025-49200 (GCVE-0-2025-49200)

    Vulnerability from nvd – Published: 2025-06-12 14:27 – Updated: 2025-06-17 18:59
    VLAI
    Title
    Unencrypted backup contains sensitive information
    Summary
    The created backup files are unencrypted, making the application vulnerable for gathering sensitive information by downloading and decompressing the backup files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49200",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:41:15.221063Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T18:59:46.867Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003e\n\n\u003ccode\u003eThe created backup files are unencrypted, making the application vulnerable for gathering sensitive information by downloading and decompressing the backup files.\u003c/code\u003e\n\n\u003c/code\u003e"
                }
              ],
              "value": "The created backup files are unencrypted, making the application vulnerable for gathering sensitive information by downloading and decompressing the backup files."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-13T06:09:34.890Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Unencrypted backup contains sensitive information",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49200",
        "datePublished": "2025-06-12T14:27:57.643Z",
        "dateReserved": "2025-06-03T05:58:15.617Z",
        "dateUpdated": "2025-06-17T18:59:46.867Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49199 (GCVE-0-2025-49199)

    Vulnerability from nvd – Published: 2025-06-12 14:26 – Updated: 2025-06-17 19:02
    VLAI
    Title
    Backup files can be modified and uploaded
    Summary
    The backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. This allows the attacker to disrupt the application by configuring the services in a way that they are unable to run, making the application unusable. They can redirect traffic that is meant to be internal to their own hosted services and gathering information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49199",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-17T19:02:09.527485Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T19:02:18.155Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eThe backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. This allows the attacker to disrupt the application by configuring  the  services  in  a  way  that  they  are  unable  to  run,  making  the  application unusable. They can redirect traffic that is meant to be internal to their own hosted services and gathering information.\u003c/code\u003e"
                }
              ],
              "value": "The backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. This allows the attacker to disrupt the application by configuring  the  services  in  a  way  that  they  are  unable  to  run,  making  the  application unusable. They can redirect traffic that is meant to be internal to their own hosted services and gathering information."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345 Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-13T06:07:37.540Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Backup files can be modified and uploaded",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49199",
        "datePublished": "2025-06-12T14:26:32.507Z",
        "dateReserved": "2025-06-03T05:58:15.617Z",
        "dateUpdated": "2025-06-17T19:02:18.155Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49196 (GCVE-0-2025-49196)

    Vulnerability from nvd – Published: 2025-06-12 14:20 – Updated: 2025-06-17 19:03
    VLAI
    Title
    Deprecated TLS version supported
    Summary
    A service supports the use of a deprecated and unsafe TLS version. This could be exploited to expose sensitive information, modify data in unexpected ways or spoof identities of other users or devices, affecting the confidentiality and integrity of the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49196",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:38:45.930361Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T19:03:56.791Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eA service supports the use of a deprecated and unsafe TLS version. This could be exploited to expose sensitive information, modify data in unexpected ways or spoof identities of other users or devices, affecting the confidentiality and integrity of the device.\u003c/code\u003e"
                }
              ],
              "value": "A service supports the use of a deprecated and unsafe TLS version. This could be exploited to expose sensitive information, modify data in unexpected ways or spoof identities of other users or devices, affecting the confidentiality and integrity of the device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-13T06:17:26.069Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Deprecated TLS version supported",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49196",
        "datePublished": "2025-06-12T14:20:53.321Z",
        "dateReserved": "2025-06-03T05:58:15.616Z",
        "dateUpdated": "2025-06-17T19:03:56.791Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49192 (GCVE-0-2025-49192)

    Vulnerability from nvd – Published: 2025-06-12 14:12 – Updated: 2025-06-12 14:34
    VLAI
    Title
    Clickjacking
    Summary
    The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal confidential information or allow others to take control of their computer while clicking on seemingly innocuous objects.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49192",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:33:58.560372Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-12T14:34:02.694Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "SICK Media Server",
              "vendor": "SICK AG",
              "versions": [
                {
                  "lessThan": "1.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eThe web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal confidential information or allow others to take control of their computer while clicking on seemingly innocuous objects.\u003c/code\u003e"
                }
              ],
              "value": "The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal confidential information or allow others to take control of their computer while clicking on seemingly innocuous objects."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1021",
                  "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T14:12:11.750Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003e\n\nMedia Server: Users are strongly recommended to upgrade to the latest release of Media Server (\u0026gt;= 1.5).\u003c/code\u003e"
                }
              ],
              "value": "Media Server: Users are strongly recommended to upgrade to the latest release of Media Server (\u003e= 1.5)."
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Clickjacking",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eField Analytics: Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Field Analytics: Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49192",
        "datePublished": "2025-06-12T14:12:11.750Z",
        "dateReserved": "2025-06-03T05:58:15.616Z",
        "dateUpdated": "2025-06-12T14:34:02.694Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49191 (GCVE-0-2025-49191)

    Vulnerability from nvd – Published: 2025-06-12 14:08 – Updated: 2025-06-12 14:12
    VLAI
    Title
    Dashboards and iFrames can link malicious web content
    Summary
    Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49191",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:12:08.495610Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-12T14:12:22.866Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eLinked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.\u003c/code\u003e"
                }
              ],
              "value": "Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1021",
                  "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T14:08:02.756Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Dashboards and iFrames can link malicious web content",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49191",
        "datePublished": "2025-06-12T14:08:02.756Z",
        "dateReserved": "2025-06-03T05:58:15.615Z",
        "dateUpdated": "2025-06-12T14:12:22.866Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49190 (GCVE-0-2025-49190)

    Vulnerability from nvd – Published: 2025-06-12 14:06 – Updated: 2025-06-23 16:06
    VLAI
    Title
    Server-Side Request Forgery
    Summary
    The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49190",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:17:39.144222Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-23T16:06:29.793Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eThe application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.\u003c/code\u003e"
                }
              ],
              "value": "The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T14:06:00.347Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Server-Side Request Forgery",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49190",
        "datePublished": "2025-06-12T14:06:00.347Z",
        "dateReserved": "2025-06-03T05:55:52.772Z",
        "dateUpdated": "2025-06-23T16:06:29.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49188 (GCVE-0-2025-49188)

    Vulnerability from nvd – Published: 2025-06-12 14:02 – Updated: 2025-06-17 19:04
    VLAI
    Title
    Sensitive Data in URL
    Summary
    The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-598 - Use of GET Request Method With Sensitive Query Strings
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49188",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:14:35.551923Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T19:04:38.200Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eThe application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.\u003c/code\u003e"
                }
              ],
              "value": "The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-598",
                  "description": "CWE-598 Use of GET Request Method With Sensitive Query Strings",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T14:02:36.838Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Sensitive Data in URL",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49188",
        "datePublished": "2025-06-12T14:02:36.838Z",
        "dateReserved": "2025-06-03T05:55:52.772Z",
        "dateUpdated": "2025-06-17T19:04:38.200Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49187 (GCVE-0-2025-49187)

    Vulnerability from nvd – Published: 2025-06-12 13:29 – Updated: 2025-06-12 13:43
    VLAI
    Title
    User enumeration
    Summary
    For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-204 - Observable Response Discrepancy
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49187",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T13:43:39.937942Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-12T13:43:49.791Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eFor failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.\u003c/code\u003e"
                }
              ],
              "value": "For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-204",
                  "description": "CWE-204 Observable Response Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T13:29:45.731Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "User enumeration",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eIt is highly recommended to use a strong password with a length of at least eight characters and a combination of letters, numbers, capital letters and symbols. Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "It is highly recommended to use a strong password with a length of at least eight characters and a combination of letters, numbers, capital letters and symbols. Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49187",
        "datePublished": "2025-06-12T13:29:45.731Z",
        "dateReserved": "2025-06-03T05:55:52.772Z",
        "dateUpdated": "2025-06-12T13:43:49.791Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49185 (GCVE-0-2025-49185)

    Vulnerability from nvd – Published: 2025-06-12 13:25 – Updated: 2025-06-12 13:53
    VLAI
    Title
    Stored Cross-Site-Script
    Summary
    The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49185",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T13:53:21.717862Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-12T13:53:26.633Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eThe web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source.\u003c/code\u003e"
                }
              ],
              "value": "The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T13:25:42.718Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Stored Cross-Site-Script",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49185",
        "datePublished": "2025-06-12T13:25:42.718Z",
        "dateReserved": "2025-06-03T05:55:52.772Z",
        "dateUpdated": "2025-06-12T13:53:26.633Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49200 (GCVE-0-2025-49200)

    Vulnerability from cvelistv5 – Published: 2025-06-12 14:27 – Updated: 2025-06-17 18:59
    VLAI
    Title
    Unencrypted backup contains sensitive information
    Summary
    The created backup files are unencrypted, making the application vulnerable for gathering sensitive information by downloading and decompressing the backup files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49200",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:41:15.221063Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T18:59:46.867Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003e\n\n\u003ccode\u003eThe created backup files are unencrypted, making the application vulnerable for gathering sensitive information by downloading and decompressing the backup files.\u003c/code\u003e\n\n\u003c/code\u003e"
                }
              ],
              "value": "The created backup files are unencrypted, making the application vulnerable for gathering sensitive information by downloading and decompressing the backup files."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-13T06:09:34.890Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Unencrypted backup contains sensitive information",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49200",
        "datePublished": "2025-06-12T14:27:57.643Z",
        "dateReserved": "2025-06-03T05:58:15.617Z",
        "dateUpdated": "2025-06-17T18:59:46.867Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49199 (GCVE-0-2025-49199)

    Vulnerability from cvelistv5 – Published: 2025-06-12 14:26 – Updated: 2025-06-17 19:02
    VLAI
    Title
    Backup files can be modified and uploaded
    Summary
    The backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. This allows the attacker to disrupt the application by configuring the services in a way that they are unable to run, making the application unusable. They can redirect traffic that is meant to be internal to their own hosted services and gathering information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49199",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-17T19:02:09.527485Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T19:02:18.155Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eThe backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. This allows the attacker to disrupt the application by configuring  the  services  in  a  way  that  they  are  unable  to  run,  making  the  application unusable. They can redirect traffic that is meant to be internal to their own hosted services and gathering information.\u003c/code\u003e"
                }
              ],
              "value": "The backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. This allows the attacker to disrupt the application by configuring  the  services  in  a  way  that  they  are  unable  to  run,  making  the  application unusable. They can redirect traffic that is meant to be internal to their own hosted services and gathering information."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345 Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-13T06:07:37.540Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Backup files can be modified and uploaded",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49199",
        "datePublished": "2025-06-12T14:26:32.507Z",
        "dateReserved": "2025-06-03T05:58:15.617Z",
        "dateUpdated": "2025-06-17T19:02:18.155Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49196 (GCVE-0-2025-49196)

    Vulnerability from cvelistv5 – Published: 2025-06-12 14:20 – Updated: 2025-06-17 19:03
    VLAI
    Title
    Deprecated TLS version supported
    Summary
    A service supports the use of a deprecated and unsafe TLS version. This could be exploited to expose sensitive information, modify data in unexpected ways or spoof identities of other users or devices, affecting the confidentiality and integrity of the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49196",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:38:45.930361Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T19:03:56.791Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eA service supports the use of a deprecated and unsafe TLS version. This could be exploited to expose sensitive information, modify data in unexpected ways or spoof identities of other users or devices, affecting the confidentiality and integrity of the device.\u003c/code\u003e"
                }
              ],
              "value": "A service supports the use of a deprecated and unsafe TLS version. This could be exploited to expose sensitive information, modify data in unexpected ways or spoof identities of other users or devices, affecting the confidentiality and integrity of the device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-13T06:17:26.069Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Deprecated TLS version supported",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49196",
        "datePublished": "2025-06-12T14:20:53.321Z",
        "dateReserved": "2025-06-03T05:58:15.616Z",
        "dateUpdated": "2025-06-17T19:03:56.791Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49192 (GCVE-0-2025-49192)

    Vulnerability from cvelistv5 – Published: 2025-06-12 14:12 – Updated: 2025-06-12 14:34
    VLAI
    Title
    Clickjacking
    Summary
    The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal confidential information or allow others to take control of their computer while clicking on seemingly innocuous objects.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49192",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:33:58.560372Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-12T14:34:02.694Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "SICK Media Server",
              "vendor": "SICK AG",
              "versions": [
                {
                  "lessThan": "1.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eThe web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal confidential information or allow others to take control of their computer while clicking on seemingly innocuous objects.\u003c/code\u003e"
                }
              ],
              "value": "The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal confidential information or allow others to take control of their computer while clicking on seemingly innocuous objects."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1021",
                  "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T14:12:11.750Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003e\n\nMedia Server: Users are strongly recommended to upgrade to the latest release of Media Server (\u0026gt;= 1.5).\u003c/code\u003e"
                }
              ],
              "value": "Media Server: Users are strongly recommended to upgrade to the latest release of Media Server (\u003e= 1.5)."
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Clickjacking",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eField Analytics: Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Field Analytics: Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49192",
        "datePublished": "2025-06-12T14:12:11.750Z",
        "dateReserved": "2025-06-03T05:58:15.616Z",
        "dateUpdated": "2025-06-12T14:34:02.694Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49191 (GCVE-0-2025-49191)

    Vulnerability from cvelistv5 – Published: 2025-06-12 14:08 – Updated: 2025-06-12 14:12
    VLAI
    Title
    Dashboards and iFrames can link malicious web content
    Summary
    Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49191",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:12:08.495610Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-12T14:12:22.866Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eLinked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.\u003c/code\u003e"
                }
              ],
              "value": "Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1021",
                  "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T14:08:02.756Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Dashboards and iFrames can link malicious web content",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49191",
        "datePublished": "2025-06-12T14:08:02.756Z",
        "dateReserved": "2025-06-03T05:58:15.615Z",
        "dateUpdated": "2025-06-12T14:12:22.866Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49190 (GCVE-0-2025-49190)

    Vulnerability from cvelistv5 – Published: 2025-06-12 14:06 – Updated: 2025-06-23 16:06
    VLAI
    Title
    Server-Side Request Forgery
    Summary
    The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49190",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:17:39.144222Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-23T16:06:29.793Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eThe application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.\u003c/code\u003e"
                }
              ],
              "value": "The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T14:06:00.347Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Server-Side Request Forgery",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49190",
        "datePublished": "2025-06-12T14:06:00.347Z",
        "dateReserved": "2025-06-03T05:55:52.772Z",
        "dateUpdated": "2025-06-23T16:06:29.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49188 (GCVE-0-2025-49188)

    Vulnerability from cvelistv5 – Published: 2025-06-12 14:02 – Updated: 2025-06-17 19:04
    VLAI
    Title
    Sensitive Data in URL
    Summary
    The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-598 - Use of GET Request Method With Sensitive Query Strings
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49188",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T14:14:35.551923Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T19:04:38.200Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eThe application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.\u003c/code\u003e"
                }
              ],
              "value": "The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-598",
                  "description": "CWE-598 Use of GET Request Method With Sensitive Query Strings",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T14:02:36.838Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Sensitive Data in URL",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49188",
        "datePublished": "2025-06-12T14:02:36.838Z",
        "dateReserved": "2025-06-03T05:55:52.772Z",
        "dateUpdated": "2025-06-17T19:04:38.200Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49187 (GCVE-0-2025-49187)

    Vulnerability from cvelistv5 – Published: 2025-06-12 13:29 – Updated: 2025-06-12 13:43
    VLAI
    Title
    User enumeration
    Summary
    For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-204 - Observable Response Discrepancy
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49187",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T13:43:39.937942Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-12T13:43:49.791Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eFor failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.\u003c/code\u003e"
                }
              ],
              "value": "For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-204",
                  "description": "CWE-204 Observable Response Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T13:29:45.731Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "User enumeration",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eIt is highly recommended to use a strong password with a length of at least eight characters and a combination of letters, numbers, capital letters and symbols. Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "It is highly recommended to use a strong password with a length of at least eight characters and a combination of letters, numbers, capital letters and symbols. Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49187",
        "datePublished": "2025-06-12T13:29:45.731Z",
        "dateReserved": "2025-06-03T05:55:52.772Z",
        "dateUpdated": "2025-06-12T13:43:49.791Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49185 (GCVE-0-2025-49185)

    Vulnerability from cvelistv5 – Published: 2025-06-12 13:25 – Updated: 2025-06-12 13:53
    VLAI
    Title
    Stored Cross-Site-Script
    Summary
    The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Field Analytics Affected: all versions (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49185",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-12T13:53:21.717862Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-12T13:53:26.633Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "SICK Field Analytics",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eThe web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source.\u003c/code\u003e"
                }
              ],
              "value": "The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T13:25:42.718Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
            }
          ],
          "source": {
            "advisory": "sca-2025-0007",
            "discovery": "INTERNAL"
          },
          "title": "Stored Cross-Site-Script",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
                }
              ],
              "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2025-49185",
        "datePublished": "2025-06-12T13:25:42.718Z",
        "dateReserved": "2025-06-03T05:55:52.772Z",
        "dateUpdated": "2025-06-12T13:53:26.633Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }