CVE-2023-3526 CRITICAL

CVE-2023-3526: PHOENIX CONTACT: Cross-site Scripting vulnerability in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices

Vendor Phoenix Contact
Product CLOUD CLIENT 1101T-TX/TX
Weakness CWE-79 · XSS
Published August 8, 2023
Last update February 27, 2025
View on NVD All CVEs

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user's browser.

Key dates

02Disclosure timeline

August 8, 2023 CVE published
February 27, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-2126 Orbit Fox by ThemeIsle <= 2.10.32 - Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget CVE-2025-31804 WordPress Follow Us Badges plugin <= 3.1.11 - Cross Site Scripting (XSS) vulnerability CVE-2024-11378 Bizapp for WooCommerce <= 2.0.8 - Reflected Cross-Site Scripting CVE-2024-4432 Piotnet Addons For Elementor <= 2.4.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets CVE-2023-24508 Remote Code Execution in Baicells RTS Platform