CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-49191: Dashboards and iFrames can link malicious web content

4.8 CVSS

Description

Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.

Classification

CVE ID: CVE-2025-49191

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Problem Types

CWE-1021 Improper Restriction of Rendered UI Layers or Frames

Affected Products

Vendor: SICK AG

Product: SICK Field Analytics

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.53% (scored less or equal to compared to others)

EPSS Date: 2025-06-19 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-49191
https://sick.com/psirt
https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json

Timeline

2025-06-12 15:40:21 UTC
CVE

Dashboards and iFrames can link malicious web content