CVE-2023-2746 CRITICAL

CVE-2023-2746: Rockwell Automation Enhanced HIM Vulnerable to Cross-Site Request Forgery Attack

Vendor Rockwell Automation
Product Enhanced HIM
Weakness CWE-352 · CSRF
Published July 11, 2023
Last update November 7, 2024
View on NVD All CVEs

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The Rockwell Automation Enhanced HIM software contains an API that the application uses that is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.

Key dates

02Disclosure timeline

July 11, 2023 CVE published
November 7, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-36513 WordPress AutomateWoo Plugin <= 5.7.5 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2024-13250 Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014 CVE-2022-36292 WordPress Gallery PhotoBlocks plugin <= 1.2.6 - Cross-Site Request Forgery (CSRF) vulnerabilities CVE-2024-43339 WordPress WordPress Webinar Plugin – WebinarPress plugin <= 1.33.20 - Cross Site Request Forgery (CSRF) vulnerability CVE-2025-28922 WordPress Go To Top plugin <= 0.0.8 - CSRF to Stored XSS vulnerability