Home
MEDIUM: 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NDefault status
unaffected
Any version
affected
Default status
unaffected
Any version
affected
Default status
unaffected
Any version
affected
Default status
unaffected
Any version
affected
Default status
unaffected
Any version
affected
Default status
unaffected
Any version
affected
Default status
unaffected
Any version
affected
Default status
unaffected
Any version
affected
Default status
unaffected
Any version
affected
Default status
unaffected
Any version
affected
Default status
unaffected
Any version
affected
Description
The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.
Problem types
CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')
Product status
Any version
Any version
Any version
Any version
Any version
Any version
Any version
Any version
Any version
Any version
Any version
Credits
Maximilian Hildebrand of G DATA Advanced Analytics reported this vulnerability to CISA.
References
www.cisa.gov/news-events/ics-advisories/icsa-26-139-05
github.com/...p/csaf_files/OT/white/2026/icsa-26-139-05.json