Security Misconfiguration in Schneider Electric IGSS Mobile Application
CVE-2017-9968

5.9MEDIUM

Key Information:

Vendor
Schneider Electric
Status
Igss Mobile
Vendor
CVE Published:
12 February 2018

Summary

A security misconfiguration vulnerability exists in Schneider Electric's IGSS Mobile application versions 3.01 and earlier. This flaw is due to an improper implementation of certificate pinning during the TLS/SSL connection process, potentially allowing attackers to execute man-in-the-middle attacks. As a result, sensitive data transmitted between the mobile application and the server may be intercepted and exploited. It is crucial for users of affected versions to implement necessary security measures to mitigate this risk.

References

https://www.schneider-electric.com/en/download/document/S...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/103048
vdb-entryx_refsource_BID
https://ics-cert.us-cert.gov/advisories/ICSA-18-046-03
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.