Siemens Desigo PX is a building automation control system from Siemens, a German company. A cross-site request forgery vulnerability exists in several Siemens products, stemming from a lack of validation of anti-CSRF tokens or other source checks in the Import Files feature of the “Operation” Web application, which could be exploited by a remote, unauthenticated attacker to simply trick a victim into An unauthenticated remote attacker could simply trick a victim into accessing a specially crafted Web page while logged into the device’s Web application, which could be permanently and arbitrarily uploaded and execute JavaScript code.