Security bulletins

Vulnerability CVE-2025-1434 was found in the WEBSERV2 component. The Spreadsheet view is vulnerable to a XSS attack, where a remote unauthorised attacker can read a limited amount of values or DoS the affected spreadsheet. Disclosure of secrets or other system settings is not affected as well as other spreadsheets still work as expected. An attacker with control over a "text" variable in the industrial network could inject malicious script in the spreadsheet web pages.

Users with no text-valued variables in their application are unaffected. Users with no speadsheet views shown in Webserv2 are unaffected.

Affects Areal Topkapi Webserv2 versions up to 6.2.5474 included. First unaffected fixed release 6.2.5592.

This vulnerability could result in disclosure of information, or possible unavailability of specific spreadsheet pages.

Vulnerability CVE-2024-1104 was found in Topkapi Webserv2 Web Server.
Brute force login attacks can cause a temporary denial of service of the web site.
A problem was found in the brute force prevention mecanism, this can make the web site unavailable for a short period of time for all users, including already logged-in users. Possible workaround is to throttle requests with a reverse-proxy.
Affects Topkapi Webserv2 up to version 6.2.4776, last affected version. Fixed in version 6.2.4777. Please update the Webserv2 component.

Component "Webserv1" is possibly affected of cross site scripting vulnerabilities through unchecked parameters in web site. This affect all version of "Webserv1" <= 6.1 ; Vulnerability was reported as CVE-2023-50357 (https://cert.vde.com/en/advisories/weakness/CVE-2023-50357/).

This vulnerability theorically offers the possibility to inject malicious data in the web site. A low privileged user, because of unsufficiently check parameters, could attack the system via other users's access rights.
This vulnerability could result in disclosure or modification of process information via privilege gain.

Product "Webserv1" is END-OF-LIFE. This component is replaced by "Webserv2" web server, which is not affected by the CVE, and is available with scada since version 6.0. Please upgrade to replacement product.

Vulnerability CVE-2023-50356 was foud in the LDAPS component, exclusively in mode NOVELL or SYNOLOGY. Connections to LDAPS in mode NOVELL and SYNOLOGY are vulnerable to a Man-in-the-middle attack, because of improper certificate validation.

Active Directory mode is NOT affected. Affects Areal Topkapi Vision Server versions up to 6.2.4718 included. First unaffected fixed release 6.2.4719. This vulnerability could result in disclosure of user names and passwords. Please update if using a Novell/Synology LDAP.