Detections
Analytics
Schneider Electric PowerLogic PM5560 Improper Neutralization of Input During Web Page Generation (CVE-2018-7795)
medium Tenable OT Security Plugin ID 500552
Synopsis
The remote OT asset is affected by a vulnerability.Description
A Cross Protocol Injection vulnerability exists in Schneider Electric's PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code.This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.
Solution
The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.Schneider Electric has released a fix to address this vulnerability:
https://www.schneider-electric.com/en/download/document/PM5560_PM5563_V2.5.4_Release/
For more information please see the Schneider Electric security notification at:
https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/
See Also
http://www.securityfocus.com/bid/105170
Plugin Details
Severity: Medium
ID: 500552
Version: 1.11
Type: remote
Family: Tenable.ot
Published: 2/7/2022
Updated: 4/11/2024
Supported Sensors: Tenable OT Security
Risk Information
VPR
Risk Factor: Low
Score: 3.0
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.2
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2018-7795
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Temporal Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:schneider-electric:powerlogic_pm5560_firmware
Required KB Items: Tenable.ot/Schneider
Exploit Ease: No known exploits are available
Patch Publication Date: 8/29/2018
Vulnerability Publication Date: 8/29/2018
Reference Information
CVE: CVE-2018-7795
CWE: 79