CVE-2017-9963

Published: Feb 12, 2018Modified: Nov 21, 2024

8.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack.

Affected (1)

Products: Schneider Electric: Powerscada Anywhere

Schneider Electric

1 product

Powerscada Anywhere

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Schneider Electric Powerscada Anywhere	Version 1.0

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

http://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/

Source: cybersecurity@se.com

Broken Link

https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere

Source: cybersecurity@se.com

Permissions RequiredVendor Advisory

http://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

Timeline

No history available yet.