CISA has published an advisory on cross-site scripting and basic XSS vulnerabilities in Siemens Climatix. All versions of Climatix POL908 (BACnet/IP module) and Climatix POL909 (AWM module) are affected. Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code to access confidential information without authentication. Siemens has identified specific workarounds and mitigations users can apply to reduce the risk. CISA also recommends a series of measures to mitigate the vulnerabilities. Read the advisory at CISA.