1. EXECUTIVE SUMMARY
- CVSS v3 5.4
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Schneider Electric
- Equipment: EcoStruxure Power Monitoring Expert, EcoStruxure Power Operation, EcoStruxure Power SCADA Operation 2020
- Vulnerability: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to tamper with folder names within the context of the product.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
- Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) 2021: All versions prior to 2021 CU1
- Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) 2020: All versions prior to 2020 CU3
- Schneider Electric EcoStruxure™ Power Operation (EPO) 2022: All versions prior to 2022 CU4
- Schneider Electric EcoStruxure™ Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module: All versions prior to 2022 CU4
- Schneider Electric EcoStruxure™ Power Operation (EPO) 2021: All versions prior to 2021 CU3 Hotfix 2
- Schneider Electric EcoStruxure™ Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Module: All versions prior to 2021 CU3 Hotfix 2
- Schneider Electric EcoStruxure™ Power SCADA Operation 2020 (PSO) – Advanced Reporting and Dashboards Module: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an authenticated attacker modifies folder names within the context of the product.