Cross-site Scripting Vulnerability in Schneider Electric PLCs
CVE-2018-7810

6.1MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Embedded Web Servers In All Modicon M340, Premium, Quantum Plcs And Bmxnor0200
Vendor: CVE Published:; 30 November 2018

Summary

A cross-site scripting vulnerability exists in the embedded web servers of Schneider Electric's Modicon M340, Premium, Quantum PLCs, and BMXNOR0200 models. This flaw allows an attacker to craft a malicious URL containing JavaScript, which can be executed within the user's browser upon accessing the URL. If successfully exploited, this vulnerability may lead to unauthorized actions performed in the context of the user's session, potentially compromising the integrity and security of the user's machine.

Affected Version(s)

Embedded Web Servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 Embedded Web Servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200

References

https://www.tenable.com/security/research/tra-2018-38

x_refsource_MISC

https://www.schneider-electric.com/en/download/document/S...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 30, 2018
Vulnerability Reserved
Mar 8, 2018