URL Redirection Vulnerability in Schneider Electric's Web Application
CVE-2023-5986

8.2HIGH

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Power Monitoring Expert (pme); Ecostruxure Power Operation (epo) – Advanced Reporting And Dashboards Module; Ecostruxure Power Scada Operation (pso) - Advanced Reporting And Dashboards Module
Vendor: CVE Published:; 15 November 2023

Summary

A security vulnerability exists that allows for URL redirection to untrusted sites, potentially leading to cross-site scripting attacks. This occurs when attackers provide a URL-encoded input that manipulates the web application to redirect to malicious domains after the user successfully logs in. Such vulnerabilities can compromise user data and trust, making it essential for users to update their systems and ensure proper security measures are in place.

Affected Version(s)

EcoStruxure Power Monitoring Expert (PME) Version 2020 CU2 and prior

EcoStruxure Power Monitoring Expert (PME) Version 2021 CU1 and prior

EcoStruxure Power Operation (EPO) – Advanced Reporting and Dashboards Module Advanced Reporting and Dashboards Module 2021 prior to CU2 for EcoStruxure Power Operation 2021

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 15, 2023
Vulnerability Reserved
Nov 7, 2023

Collectors

NVD DatabaseMitre Database