Schneider Electric Modicon Controllers

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 5.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Modicon Controllers
• Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a victim’s browser to run arbitrary JavaScript when visiting a page containing injected payload.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric Modicon Controllers M258 / LMC058: All versions
• Schneider Electric Modicon Controllers M262: Versions prior to 5.2.8.26
• Schneider Electric Modicon Controllers M251: Versions prior to 5.2.11.24
• Schneider Electric Modicon Controllers M241: Versions prior to 5.2.11.24

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A Cross-site Scripting  vulnerability exists  where an attacker could cause a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload.

CVE-2024-6528 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, and Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schnei

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.