1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: Subnet Solutions Inc.
- Equipment: PowerSYSTEM Center
- Vulnerabilities: Server-Side Request Forgery (SSRF), Inefficient Regular Expression Complexity, Cross-Site Request Forgery (CSRF)
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in an attacker bypassing a proxy, creating a denial-of-service condition, or viewing sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of PowerSYSTEM Center are affected:
- PowerSYSTEM Center: PSC 2020 v5.21.x and prior
3.2 Vulnerability Overview
3.2.1 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918
Vulnerable versions of PowerSYSTEM Center utilize Axios NPM package 0.21.0, which contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
CVE-2020-28168 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
3.2.2 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333
Vulnerable versions of PowerSYSTEM Center utilize Axios, which is vulnerable to Inefficient Regular Expression Complexity.
CVE-2021-3749 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has bee
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: