CVE-2025-3020: Wiesemann & Theis: Multiple W&T Products are vulnerable to cross-site-scripting
Description
An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact.
Classification
CVE ID: CVE-2025-3020
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.4
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Problem Types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected Products
Vendor: Wiesemann & Theis
Product: ERP-Gateway 12x Digital Input, 6x Digital Relais, ERP-Gateway 2x Digital Input, 2x Digital Output, ERP-Gateway 2x Digital PoE, Web-Alarm 6x6 DigitalWeb-Alarm 6x6 Digital, Web-Count 6x Digital, Web-Graph Air Quality, Web-IO 12x Digital Input, 6x Digital Relais, Web-IO Analog-In/Out 2x 0/4..20mA PoE, Web-IO Digital 12xIn, 12xOut, Web-IO Digital 12xIn, 12xOut, 1xRS232, Web-IO Digital 2xIn, 2xOut, Web-IO Digital Logger 6xIn, 6xOut, Web-Thermograph 2x, Web-Thermograph 8x, Web-Thermograph NTC, Web-Thermograph NTC PoE, Web-Thermograph Pt100 / Pt1000, Web-Thermograph Pt100 / Pt1000 PoE, Web-Thermograph Relais, Web-Thermo-Hygrobarograph, Web-Thermo-Hygrograph
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 11.26% (scored less or equal to compared to others)
EPSS Date: 2025-06-04 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-3020https://cert.vde.com/en/advisories/VDE-2025-032