CVE-2020-7546

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.3%

top 46.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric Ecostruxure Energy Expert Schneider-electric Ecostruxure Power Monitoring Expert Schneider-electric Power Manager +2 more

Timeline

PublishedDec 1

Latest updateMay 24

Description

A CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow an attacker to perform actions on behalf of the authorized user when accessing an affected webpage.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages6 packages

▶CVEListV5ecostruxureª_and_smartstruxureª_power_monitoring_and_scada_software_(see_security_notification_for_version_information)EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information)

▶NVDschneider-electric/ecostruxure_power_monitoring_expert7.0, 8.0, 9.0+2

▶NVDschneider-electric/powerscada_expert_with_advanced_reporting_and_dashboards8.0

▶NVDschneider-electric/powerscada_operation_with_advanced_reporting_and_dashboards9.0

▶NVDschneider-electric/power_manager1.1, 1.2, 1.3+2

🔴Vulnerability Details

GHSA

GHSA-xcfh-h8m8-532v: A CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCA↗2022-05-24

▶

CVEList

CVE-2020-7546: A CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCA↗2020-12-01

▶