CVE-2023-45795 in PMI v8xx
Summary
by MITRE • 06/22/2026
A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/22/2026
This cross-site scripting vulnerability exists within the Builder Component of Pilz PASvisu software prior to version 1.14.1, representing a critical security flaw that enables local unauthenticated attackers to execute arbitrary javascript code on affected systems. The vulnerability stems from insufficient input validation and output encoding mechanisms within the web interface component that processes user-supplied data during the visualization building process. Attackers can exploit this weakness by injecting malicious javascript payloads through carefully crafted inputs that are then rendered in the web interface without proper sanitization, creating a persistent cross-site scripting vector.
The technical exploitation of this vulnerability occurs when an attacker interacts with the Builder Component's input fields or configuration parameters, where the application fails to properly escape or validate user-supplied data before rendering it within the HTML context. This allows attackers to inject javascript code that executes in the context of the victim's browser session, potentially enabling full device control through session hijacking or privilege escalation techniques. The vulnerability is particularly concerning because it affects a local attacker who does not require network connectivity or authentication credentials to exploit the flaw, making it accessible even in isolated industrial environments.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with complete control over the affected device and its associated systems. This includes potential access to sensitive configuration data, ability to modify visualization components, and possible escalation to administrative privileges within the PASvisu environment. The attack surface is particularly problematic in industrial control systems where such vulnerabilities could lead to operational disruption, data compromise, or even physical system manipulation through the visualization interface that typically serves as a primary interaction point for operators and maintenance personnel.
Security controls and mitigations should prioritize immediate application of the vendor-provided patch to version 1.14.1 or later, which implements proper input validation and output encoding mechanisms to prevent javascript injection. Organizations should also implement network segmentation to limit access to affected systems, disable unnecessary web interfaces where possible, and conduct thorough security assessments of similar components within their industrial control environments. This vulnerability aligns with CWE-79 (Cross-site Scripting) and maps to ATT&CK technique T1566 (Phishing) when combined with social engineering approaches, though the local nature of this specific flaw makes it more aligned with lateral movement and privilege escalation tactics within compromised environments. Regular security monitoring and input validation testing should be implemented to prevent similar vulnerabilities in other components of the industrial automation infrastructure.