Cross-site Scripting Vulnerability in Schneider Electric Products
CVE-2023-5987

6.1MEDIUM

Key Information:

Vendor: Schneider Electric
Status: EcoStruxure Power Monitoring Expert (PME); EcoStruxure Power Operation (EPO) – Advanced Reporting and Dashboards Module; EcoStruxure Power SCADA Operation (PSO) - Advanced Reporting and Dashboards Module
Vendor: CVE Published:; 15 November 2023

Summary

A vulnerability exists due to improper neutralization of input during web page generation, enabling cross-site scripting attacks. This allows attackers to inject malicious payloads that can execute arbitrary JavaScript in a victim's browser when they visit a compromised page. Users of affected Schneider Electric products must implement security best practices to mitigate potential exploits.

Affected Version(s)

EcoStruxure Power Monitoring Expert (PME) Version 2020 CU2 and prior

EcoStruxure Power Monitoring Expert (PME) Version 2021 CU1 and prior

EcoStruxure Power Operation (EPO) – Advanced Reporting and Dashboards Module Advanced Reporting and Dashboards Module 2021 prior to CU2 for EcoStruxure Power Operation 2021

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 15, 2023
Vulnerability Reserved
Nov 7, 2023