CVE-2015-1009
published 2015-08-01CVE-2015-1009: Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window…
PriorityP46low1.7CVSS 2.0
AVLACLAuSCPINAN
EPSS
0.32%
23.2th percentile
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| indusoft | web_studio | <= 7.1.3.5 | — |
| wonderware | intouch | <= 7.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h9m2-392c-p78g: Schneider Electric InduSoft Web Studio before 7
ghsa_unreviewed·2022-05-17
CVE-2015-1009 [LOW] CWE-200 GHSA-h9m2-392c-p78g: Schneider Electric InduSoft Web Studio before 7
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.
CISA ICS
Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Password Storage Vulnerability
cisa_ics·2018-08-27
Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Password Storage Vulnerability
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Password Storage Vulnerability
Last RevisedAugust 27, 2018
Alert CodeICSA-15-211-01
## OVERVIEW
Gleb Gritsai, Alisa Esage Shevchenko, Ilya Karpov, and the team from Positive Technologies Security have found sensitive information stored in clear text in the Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 products. Schneider Electric has released new patches to mitigate this vulnerability.
## AFFECTED PRODUCTS
The following Schneider Electric products are affected:
- InduSoft Web Stu
No detection rules found.
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-100-01https://gcsresource.invensys.com/support/docs/_securitybulletins/Security_bulletin_LFSEC00000110.pdfhttps://ics-cert.us-cert.gov/advisories/ICSA-15-211-01http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-100-01https://gcsresource.invensys.com/support/docs/_securitybulletins/Security_bulletin_LFSEC00000110.pdfhttps://ics-cert.us-cert.gov/advisories/ICSA-15-211-01
2015-08-01
Published