Summary
SIDIS Prime before V4.0.800 is affected by multiple vulnerabilities in the components OpenSSL, SQLite, and several Node.js packages as described below. Siemens has released a new version of SIDIS Prime and recommends to update to the latest version.
The following versions of Siemens SIDIS Prime are affected:
- SIDIS Prime vers:intdot/<4.0.800 (CVE-2024-29857, CVE-2024-30171, CVE-2024-30172, CVE-2024-41996, CVE-2025-6965, CVE-2025-7783, CVE-2025-9230, CVE-2025-9232, CVE-2025-9670, CVE-2025-12816, CVE-2025-15284, CVE-2025-58751, CVE-2025-58752, CVE-2025-58754, CVE-2025-62522, CVE-2025-64718, CVE-2025-64756, CVE-2025-66030, CVE-2025-66031, CVE-2025-66035, CVE-2025-66412, CVE-2025-69277, CVE-2026-22610)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 8.7 | Siemens | Siemens SIDIS Prime | Out-of-bounds Read, Observable Discrepancy, Improper Input Validation, Improper Certificate Validation, Numeric Truncation Error, Use of Insufficiently Random Values, Out-of-bounds Write, Inefficient Regular Expression Complexity, Interpretation Conflict, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Relative Path Traversal, Allocation of Resources Without Limits or Throttling, Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’), Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Integer Overflow or Wraparound, Uncontrolled Recursion, Insertion of Sensitive Information Into Sent Data, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Incomplete List of Disallowed Inputs |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Germany
Vulnerabilities
CVE-2024-29857
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2024-30171
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-203 Observable Discrepancy
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2024-30172
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2024-41996
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-295 Improper Certificate Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2025-6965
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-197 Numeric Truncation Error
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L |
CVE-2025-7783
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 – 3.0.3, 4.0.0 – 4.0.3.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-330 Use of Insufficiently Random Values
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
CVE-2025-9230
An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
CVE-2025-9232
Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the ‘no_proxy’ environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a ‘no_proxy’ environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2025-9670
A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-1333 Inefficient Regular Expression Complexity
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
CVE-2025-12816
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-436 Interpretation Conflict
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
CVE-2025-15284
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable. DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === ‘[]’ && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoCTest 1 – Basic bypass: npm install qs const qs = require(‘qs’); const result = qs.parse(‘a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6’, { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Test 2 – DoS demonstration: const qs = require(‘qs’); const attack = ‘a[]=’ + Array(10000).fill(‘x’).join(‘&a[]=’); const result = qs.parse(attack, { arrayLimit: 100 }); console.log(result.a.length); // Output: 10000 (should be max 100) Configuration: * arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2) * Use bracket notation: a[]=value (not indexed a[0]=value) ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection. Attack scenario: * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&…&filters[]=x (100,000+ times) * Application parses with qs.parse(query, { arrayLimit: 100 }) * qs ignores limit, parses all 100,000 elements into array * Server memory exhausted → application crashes or becomes unresponsive * Service unavailable for all users Real-world impact: * Single malicious request can crash server * No authentication required * Easy to automate and scale * Affects any endpoint parsing query strings with bracket notation
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2025-58751
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using –host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
CVE-2025-58752
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using –host or server.host config option) and use `appType: ‘spa’` (default) or `appType: ‘mpa’` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-23 Relative Path Traversal
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
CVE-2025-58754
Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: ‘stream’`. Versions 0.30.2 and 1.12.0 contain a patch for the issue.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2025-62522
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
CVE-2025-64718
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it’s possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node –disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2025-64756
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/–cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2025-66030
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-190 Integer Overflow or Wraparound
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2025-66031
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-674 Uncontrolled Recursion
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2025-66035
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular’s HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-201 Insertion of Sensitive Information Into Sent Data
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
CVE-2025-66412
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler’s internal security schema is incomplete, allowing attackers to bypass Angular’s built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
CVE-2025-69277
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren’t in the main cryptographic group.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-184 Incomplete List of Disallowed Inputs
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.5 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N |
CVE-2026-22610
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Acknowledgments
- Siemens ProductCERT reported these vulnerabilities to CISA.
General Recommendations
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Advisory Conversion Disclaimer
This ICSA is a verbatim republication of Siemens ProductCERT SSA-485750 from a direct conversion of the vendor’s Common Security Advisory Framework (CSAF) advisory. This is republished to CISA’s website as a means of increasing visibility and is provided “as-is” for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory.
Revision History
- Initial Release Date: 2026-03-10
| Date | Revision | Summary |
|---|---|---|
| 2026-03-10 | 1 | Publication Date |
| 2026-03-12 | 2 | Initial CISA Republication of Siemens ProductCERT SSA-485750 advisory |
