Sick: Security Vulnerabilities
The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.
CVSS Score
5.3
EPSS Score
0.004
Published
2025-06-12
The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies.
CVSS Score
5.3
EPSS Score
0.002
Published
2025-06-12
The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.
CVSS Score
4.3
EPSS Score
0.003
Published
2025-06-12
Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.
CVSS Score
4.8
EPSS Score
0.002
Published
2025-06-12
Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET
requests to gather sensitive information. An attacker could also send HTTP POST requests to modify
the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service
attack.
CVSS Score
8.6
EPSS Score
0.006
Published
2025-06-12
Files in the source code contain login credentials for the admin user and the property configuration password, allowing an attacker to get full access to the application.
CVSS Score
7.5
EPSS Score
0.005
Published
2025-06-12
All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files.
CVSS Score
7.5
EPSS Score
0.002
Published
2025-06-12
A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product.
CVSS Score
7.5
EPSS Score
0.004
Published
2025-06-12
The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source.
CVSS Score
5.5
EPSS Score
0.002
Published
2025-06-12
Authentication Bypass by Capture-replay in SICK Flexi Soft Gateways with Partnumbers 1044073, 1127717, 1130282, 1044074, 1121597, 1099832, 1051432, 1127487, 1069070, 1112296, 1044072, 1121596, 1099830 allows an unauthenticated remote attacker to potentially impact the availability, integrity and confidentiality of the gateways via an authentication bypass by capture-replay.
CVSS Score
8.8
EPSS Score
0.016
Published
2023-10-23