CVE-2023-2072

EPSS 0.66%
Veröffentlicht 11.07.2023 14:15:09
Zuletzt bearbeitet 21.11.2024 07:57:52
Quelle PSIRT@rockwellautomation.com
CVE-Watchlists
Login
Unerledigt
Login

The Rockwell Automation PowerMonitor 1000 contains stored cross-site scripting vulnerabilities within the web page of the product.  The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rockwellautomation ≫ Powermonitor 1000 Firmware Version-

Rockwellautomation ≫ Powermonitor 1000 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.66%	0.704

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
PSIRT@rockwellautomation.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139761

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-2072

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-2072

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-2072

EUVD