Cross-Site Request Forgery in Schneider Electric's PowerSCADA Products
CVE-2017-7969

8.8HIGH

Key Information:

Vendor
Schneider Electric
Status
Powerscada Anywhere
Citect Anywhere
Vendor
CVE Published:
26 September 2017

Summary

A cross-site request forgery vulnerability has been identified in Schneider Electric's Secure Gateway component within PowerSCADA Anywhere and its associated PowerSCADA Expert versions. This flaw allows an attacker to perform state-changing actions on behalf of a legitimate user by exploiting social engineering tactics to lure the target into clicking a malicious link. Ensuring that users are aware of this risk is critical for maintaining system integrity and protecting sensitive data.

Affected Version(s)

Citect Anywhere version 1.0

PowerSCADA Anywhere Version 1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2

References

http://www.securityfocus.com/bid/99913
vdb-entryx_refsource_BID
https://www.citect.schneider-electric.com/safety-and-secu...
x_refsource_CONFIRM
http://www.schneider-electric.com/en/download/document/SE...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.