VDE-2023-029
                        
                    
                                Last update
                            
                            
                                17.08.2023 14:00
                            
                        
                                Published at
                            
                            
                                17.08.2023 14:00
                            
                        
                                Vendor(s)
                            
                            
                                Helmholz GmbH & Co. KG
                            
                        
                                External ID
                            
                            
                                VDE-2023-029
                            
                        
                                        CSAF Document
                                    
                                    
                                Summary
A stored XXS vulnerability has been found in REX 200 and REX 250 in all versions before 7.3.2.
Impact
A remote, authenticated attacker can fully compromise the browser session of all users accessing the devices web interface.
Affected Product(s)
| Model no. | Product name | Affected versions | 
|---|---|---|
| REX 200 | Firmware <7.3.2 | |
| REX 250 | Firmware <7.3.2 | 
Vulnerabilities
Expand / Collapse all
                                                                Published
                                                            
                                                            
                                                                24.09.2025 12:42
                                                            
                                                        
                                                                        Severity
                                                                    
                                                                    
                                                                
                                                                        Weakness
                                                                    
                                                                    
                                                                        Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
                                                                    
                                                                
                                                                    Summary
                                                                
                                                                A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an
authenticated remote attacker with high privileges to inject malicious HTML or JavaScript code (XSS).
                                                                References
                                                            
                                                            
                                                        Remediation
Update to 7.3.2
Acknowledgments
Helmholz GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary | 
|---|---|---|
| 1 | 17.08.2023 14:00 | Initial revision. |