Information Exposure in Schneider Electric Wonderware InTouch Access Anywhere
CVE-2017-5158

9.8CRITICAL

Key Information:

Vendor: Aveva
Status: Schneider Electric Wonderware Intouch Access Anywhere
Vendor: CVE Published:; 20 April 2017

What is CVE-2017-5158?

An issue has been identified in Schneider Electric’s Wonderware InTouch Access Anywhere where sensitive credentials can be unintentionally exposed to external systems. This occurs through the manipulation of URL parameters, allowing for arbitrary destination addresses to be specified. As a result, unauthorized users may gain access to sensitive information, posing a security risk to systems utilizing this product.

Affected Version(s)

Schneider Electric Wonderware InTouch Access Anywhere Schneider Electric Wonderware InTouch Access Anywhere

References

http://software.schneider-electric.com/pdf/security-bulle...

x_refsource_MISC

http://www.securityfocus.com/bid/97256

vdb-entryx_refsource_BID

https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2017
Vulnerability Reserved
Jan 3, 2017

Aveva

What is CVE-2017-5158?

Affected Version(s)

References

CVSS V3.1

Timeline