Schneider Electric PowerLogic PM5560 < 2.5.4 Cross Protocol Injection

Medium Nessus Network Monitor Plugin ID 720172

Synopsis

Schneider Electric PowerLogic PM5560 is vulnerable to the Cross Protocol Injection attack.

Description

A Cross Protocol Injection vulnerability exists in Schneider Electric's PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code.

Solution

Perform vendor recommended mitigations and apply available vendor upgrades.

See Also

http://www.securityfocus.com/bid/105170

https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03

https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01

Plugin Details

Severity: Medium

ID: 720172

Family: SCADA

Published: 2019/05/08

Updated: 2019/09/30

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2018/08/28

Vulnerability Publication Date: 2018/08/28

Reference Information

CVE: CVE-2018-7795

BID: 105170