CVE-2017-7969

CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

8.8HIGH

EPSS

0.1%

top 66.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider Electric SE Citect Anywhere Schneider Electric SE Powerscada Anywhere Schneider-electric Citect Anywhere +1 more

Timeline

PublishedSep 26

Latest updateMay 17

Description

A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDschneider-electric/powerscada_anywhere1.0

▶CVEListV5schneider_electric_se/powerscada_anywhereVersion 1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2

▶NVDschneider-electric/citect_anywhere1.0

▶CVEListV5schneider_electric_se/citect_anywhereversion 1.0

Patches

Patch: www.schneider-electric.com ↗Patch: www.citect.schneider-electric.com ↗Patch: www.schneider-electric.com ↗

🔴Vulnerability Details

GHSA

GHSA-gm35-5x3x-4xw9: A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1↗2022-05-17

▶

CVEList

CVE-2017-7969: A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1↗2017-09-25

▶