CVE-2023-45796 in PMI v8xx
Summary
by MITRE • 06/22/2026
A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/22/2026
This vulnerability represents a critical stored cross-site scripting flaw within the Runtime component of Pilz PASvisu software versions prior to 1.14.1 and PMI v8xx systems up to version 2.0.33992. The security weakness resides in how the system processes and stores user input without adequate sanitization, creating an environment where malicious scripts can be injected and persistently executed within the application's runtime context. Such vulnerabilities fall under CWE-079 - Cross-site Scripting and are classified as stored XSS attacks because the malicious code is permanently stored on the server and executed whenever affected users access the compromised data.
The operational impact of this vulnerability extends beyond simple data manipulation, potentially compromising the integrity and availability of critical process data within industrial control systems. Attackers exploiting this weakness can execute arbitrary scripts in the context of other users' browsers, enabling them to access sensitive information, modify process parameters, or disrupt normal operations. This poses significant risks in industrial environments where process data integrity directly affects safety protocols and operational continuity.
The vulnerability's accessibility to low-privileged remote unauthenticated attackers makes it particularly dangerous as it requires minimal prerequisites for exploitation. The attack surface is expanded by the fact that no authentication is required to initiate the malicious payload, allowing unauthorized actors to manipulate system behavior without proper authorization. This aligns with ATT&CK technique T1213.002 - Data from Information Repositories where adversaries extract and modify stored data within applications.
Mitigation strategies should include immediate deployment of patches released by Pilz for versions 1.14.1 and PMI v8xx 2.0.33992, along with implementing robust input validation and output encoding mechanisms throughout the application's data handling processes. Network segmentation and monitoring solutions should be enhanced to detect anomalous script injection patterns, while regular security assessments should verify that all components of the industrial control system are properly updated and configured according to security best practices established by frameworks such as NIST SP 800-82 for industrial control systems security.