Subnet Solutions Inc. PowerSYSTEM Center

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Subnet Solutions Inc.
  • Equipment: PowerSYSTEM Center
  • Vulnerabilities: Server-Side Request Forgery (SSRF), Inefficient Regular Expression Complexity, Cross-Site Request Forgery (CSRF)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker bypassing a proxy, creating a denial-of-service condition, or viewing sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PowerSYSTEM Center are affected:

  • PowerSYSTEM Center: PSC 2020 v5.21.x and prior

3.2 Vulnerability Overview

3.2.1 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

Vulnerable versions of PowerSYSTEM Center utilize Axios NPM package 0.21.0, which contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

CVE-2020-28168 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333

Vulnerable versions of PowerSYSTEM Center utilize Axios, which is vulnerable to Inefficient Regular Expression Complexity.

CVE-2021-3749 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has bee

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article: