Siemens Desigo PX is a building automation control system from Siemens, a German company. A cross-site scripting vulnerability exists in several Siemens products. The vulnerability stems from an incorrect neutralization of input during web page generation in the Import Files function of the “Operation” web application, which could be exploited by a remote, low-authority attacker to execute arbitrary JavaScript code by uploading a specially crafted graphics package.