CVE-2025-49191 PUBLISHED

Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.

Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \"SICK Operating Guidelines\" and \"ICS-CERT recommended practices on Industrial Security\" could help to implement the general security practices.

• https://sick.com/psirt
• https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
• https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
• https://www.first.org/cvss/calculator/3.1
• https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf
• https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json

• CWE-1021 Improper Restriction of Rendered UI Layers or Frames CWE