Login Sign Up

CVE-2023-29023

7.0 HIGH
Cross-Site Scripting

📋 TL;DR

A cross-site scripting (XSS) vulnerability in Rockwell Automation's ArmorStart ST product allows attackers to inject malicious scripts into web pages. This could enable viewing or modifying sensitive data or causing denial of service. Users of ArmorStart ST products with web interfaces are affected.

💻 Affected Systems

Products:
  • Rockwell Automation ArmorStart ST
Versions: Specific versions not detailed in advisory; check vendor documentation
Operating Systems: Embedded/industrial control system
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction via web interface; industrial control environments may have limited external access.

📦 What is this software?

Armorstart St 281e Firmware by Rockwellautomation

View all CVEs affecting Armorstart St 281e Firmware →

Armorstart St 284ee Firmware by Rockwellautomation

View all CVEs affecting Armorstart St 284ee Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal credentials, manipulate device configurations, or render the web interface unusable, potentially disrupting industrial operations.

🟠

Likely Case

Attackers would use phishing to trick users into clicking malicious links, leading to session hijacking or data theft from the web interface.

🟢

If Mitigated

With proper network segmentation and user awareness, exploitation would be limited to isolated incidents with minimal operational impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (e.g., phishing); no public exploit code known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Rockwell Automation advisory for specific firmware updates

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139438

Restart Required: Yes

Instructions:

1. Review Rockwell Automation advisory. 2. Download and apply recommended firmware updates. 3. Restart affected devices as required.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate ArmorStart ST devices from untrusted networks to reduce attack surface.

User Awareness Training

all

Educate users to avoid clicking suspicious links in the web interface.

🧯 If You Can't Patch

  • Implement strict network access controls to limit web interface exposure.
  • Use web application firewalls (WAFs) to filter malicious input.

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against Rockwell Automation advisory; if unpatched and web interface is accessible, assume vulnerable.

Check Version:

Consult device documentation or web interface for firmware version details.

Verify Fix Applied:

Confirm firmware version matches patched version in advisory and test web interface functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual web requests with script tags or encoded payloads in device logs

Network Indicators:

  • HTTP requests containing suspicious JavaScript or HTML to device web ports

SIEM Query:

Search for web logs from ArmorStart ST devices with patterns like '<script>' or 'javascript:' in URI or parameters.

📊 Metadata

CVE ID: CVE-2023-29023
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-79
Published: May 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29023, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)