Cross-Site Request Forgery Vulnerability in Schneider Electric Wonderware InTouch Access Anywhere
CVE-2017-5156

8.8HIGH

Key Information:

Vendor: Aveva
Status: Schneider Electric Wonderware Intouch Access Anywhere
Vendor: CVE Published:; 20 April 2017

What is CVE-2017-5156?

A Cross-Site Request Forgery vulnerability was identified in Schneider Electric's Wonderware InTouch Access Anywhere, impacting version 11.5.2 and earlier. This flaw permits an attacker to forge client requests from a malicious site, potentially allowing unauthorized access to internal Remote Desktop Protocol (RDP) systems on behalf of a user who is currently logged in. It's critical to ensure that robust security measures are in place to prevent such vulnerabilities and protect sensitive internal systems.

Affected Version(s)

Schneider Electric Wonderware InTouch Access Anywhere Schneider Electric Wonderware InTouch Access Anywhere

References

http://software.schneider-electric.com/pdf/security-bulle...

x_refsource_MISC

http://www.securityfocus.com/bid/97256

vdb-entryx_refsource_BID

https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2017
Vulnerability Reserved
Jan 3, 2017

Aveva

What is CVE-2017-5156?

Affected Version(s)

References

CVSS V3.1

Timeline