CVE-2025-49191

Dashboards and iFrames can link malicious web content

CVSS 4.8 MEDIUMEPSS 0.3%CWE-1021

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.8EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

12 jun 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Productos afectados

SICK AG · SICK Field Analytics

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF https://sick.com/psirt https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf