CVE-2023-45795 PUBLISHED

Pilz: XSS vulnerability in Pilz PASvisu and PMI v8xx

Assigner: CERTVDE
Reserved: 13.10.2023 Published: 22.06.2026 Updated: 22.06.2026

A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 7.8

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Pilz
Product	PMI v8xx
Versions	Default: unaffected affected from 0.0.0 to 2.0.33992 (incl.)

Vendor	Pilz
Product	PASvisu
Versions	Default: unaffected affected from 0.0.0 to 1.14.1 (excl.)

References

https://certvde.com/en/advisories/VDE-2023-050/

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE