Login Sign Up

CVE-2022-2140

8.8 HIGH
Cross-Site Scripting

📋 TL;DR

CVE-2022-2140 is a cross-site scripting (XSS) vulnerability in Elcomplus SmartICS v2.3.4.0 that allows authenticated users to inject malicious scripts into specific parameters. This enables attackers to execute arbitrary code in the context of other users' browsers. Organizations using Elcomplus SmartICS v2.3.4.0 for industrial control systems are affected.

💻 Affected Systems

Products:
  • Elcomplus SmartICS
Versions: v2.3.4.0
Operating Systems: Windows-based ICS environments
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects parameters that do not neutralize user-controllable input. Requires authenticated access.

📦 What is this software?

Smartics by Smartics

View all CVEs affecting Smartics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal session cookies, perform actions as other users, redirect to malicious sites, or compromise the entire ICS system if combined with other vulnerabilities.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed by authenticated attackers against other users.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH if exposed to internet, as authenticated attackers could target multiple users.
🏢 Internal Only: MEDIUM as it requires authenticated access but could still impact internal ICS operations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access but injection is straightforward once authenticated. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.3.4.1 or later

Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05

Restart Required: Yes

Instructions:

1. Contact Elcomplus for updated version. 2. Backup current configuration. 3. Install v2.3.4.1 or later. 4. Restart SmartICS services. 5. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize user-controllable parameters

Implement regex filtering for parameters: /[^a-zA-Z0-9\s\-]/

Content Security Policy

all

Add CSP headers to restrict script execution sources

Add HTTP header: Content-Security-Policy: default-src 'self'

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads
  • Restrict network access to SmartICS to only authorized users and segments

🔍 How to Verify

Check if Vulnerable:

Check if running SmartICS v2.3.4.0 via admin interface or version file

Check Version:

Check SmartICS web interface > About or examine program files version info

Verify Fix Applied:

Verify version is v2.3.4.1 or later and test parameter inputs with XSS payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual parameter values containing script tags
  • Multiple failed login attempts followed by parameter manipulation

Network Indicators:

  • HTTP requests with script tags in parameters
  • Unusual outbound connections after authenticated sessions

SIEM Query:

source="smartics" AND (param="*<script>*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2022-2140
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-79
Published: June 27, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-2140, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)