Cross-Site Scripting Vulnerability in StruxureWare Data Center Expert from Schneider Electric
CVE-2023-25551

6.1MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Struxureware Data Center Expert
Vendor: CVE Published:; 18 April 2023

Summary

A Cross-Site Scripting vulnerability has been identified in the StruxureWare Data Center Expert, specifically on the DCE file upload endpoint. The vulnerability arises due to improper neutralization of user input parameters during web page generation, allowing for potential manipulation of the application by an attacker. By exploiting this flaw, attackers could execute arbitrary scripts in the context of the user’s session, which may lead to unauthorized access or data exposure.

Affected Version(s)

StruxureWare Data Center Expert All

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 18, 2023
Vulnerability Reserved
Feb 7, 2023