CVE-2017-9963

EPSS 0.15%
Published 12.02.2018 23:29:00
Last modified 21.11.2024 03:37:15
Source cybersecurity@se.com
Teams watchlist Login
Open Login

A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Schneider-electric ≫ Powerscada Anywhere Version1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.15%	0.357

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/

Broken Link

https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2017-9963

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-9963

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-9963

EUVD