CVE-2023-2072

Published: Jul 11, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The Rockwell Automation PowerMonitor 1000 contains stored cross-site scripting vulnerabilities within the web page of the product. The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.

Affected (1)

Products: Rockwellautomation: Powermonitor 1000 Firmware

Rockwellautomation

1 product

Powermonitor 1000 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Rockwellautomation Powermonitor 1000 Firmware	All versions

Running on/with	Platform Versions
Rockwellautomation Powermonitor 1000	All versions

Related CWEs

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139761

Source: PSIRT@rockwellautomation.com

Permissions RequiredVendor Advisory

https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139761

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

Timeline

No history available yet.