Cross-Site Request Forgery in PowerLogic Devices from Schneider Electric
CVE-2021-22701

4.5MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Powerlogic Ion7400, Ion7650, Ion83xx/84xx/85xx/8600, Ion8650, Ion8800, Ion9000 And Pm800 (see Notification For Affected Versions)
Vendor: CVE Published:; 19 February 2021

Summary

A Cross-Site Request Forgery (CSRF) vulnerability exists in Schneider Electric's PowerLogic devices, including ION7400, ION7650, and several ION series models. This flaw allows an attacker to trick a user into executing unintended actions through the device's HTTP web interface, potentially compromising device integrity and operations. Users accessing the affected PowerLogic models without proper safeguards may unknowingly execute harmful commands.

Affected Version(s)

PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected ) EcoStruxure™ Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series

References

https://www.se.com/ww/en/download/document/SEVD-2021-040-01/

x_refsource_MISC

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 19, 2021
Vulnerability Reserved
Jan 6, 2021