Siemens Desigo PX is a building automation control system from Siemens (Germany). Several Siemens products have an open redirection vulnerability, which stems from the fact that the device’s embedded browser does not prevent interaction with an alternate URI scheme when the Web application code redirects to the appropriate resource, and a remote attacker with low privileges could exploit the vulnerability to read arbitrary files on the file system and execute arbitrary JavaScript code by setting the home page URI, the collection URI, to steal or manipulate information on the screen.