CVE-2017-13997

CWE-306 — Missing Authentication3 documents3 sources

Severity

9.8CRITICAL

EPSS

1.6%

top 18.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric Wonderware Indusoft WEB Studio Schneider-electric Wonderware Intouch

Timeline

PublishedOct 3

Latest updateMay 13

Description

A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 or prior, and InTouch Machine Edition v8.0 SP2 or prior. InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high pr…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDschneider-electric/wonderware_indusoft_web_studio8.0

▶NVDschneider-electric/wonderware_intouch8.0

🔴Vulnerability Details

GHSA

GHSA-mpcf-5x9h-p6p7: A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8↗2022-05-13

▶

CVEList

CVE-2017-13997: A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8↗2017-10-02

▶