Detections
Analytics

B&R Systems Diagnostics Manager Improper Neutralization of Input During Web Page Generation (CVE-2022-4286)

medium Tenable OT Security Plugin ID 503272

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A reflected cross-site scripting (XSS) vulnerability exists in System Diagnostics Manager of B&R Automation Runtime versions >=3.00 and <=C4.93 that enables a remote attacker to execute arbitrary JavaScript in the context of the users browser session.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

B&R recommends users to update to the latest version of the product at earliest convenience (instructions to install updates is described in the user manual):

- Update all SDM products to firmware D4.93 or later.

B&R also recommends the following workarounds to mitigate the risk of exploitation:

- Deactivate the SDM when not needed.
- Refer to “general security recommendations” in the B&R Industrial Automation’s advisory
- Do not use hyperlinks provided by untrusted third parties to access the SDM.
- Use external Web Application Firewalls when possible.
- Visit the B&R Industrial Automation’s advisory for more information.

See Also

http://www.nessus.org/u?2081b9ab

https://www.cisa.gov/news-events/ics-advisories/icsa-23-068-02

Plugin Details

Severity: Medium

ID: 503272

File Name: tenable_ot_brautomation_CVE-2022-4286.nasl

Version: 1.3

Type: remote

Family: Tenable.ot

Published: 6/13/2025

Updated: 2/12/2026

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:br-automation:automation_runtime

Required KB Items: Tenable.ot/BRAutomation

Exploit Ease: No known exploits are available

Patch Publication Date: 2/14/2023

Vulnerability Publication Date: 2/14/2023

Reference Information

CVE: CVE-2022-4286

CWE: 79

ICSA: 23-068-02