cvelistv5 - cve-2018-7795

cve-2018-7795

Vulnerability from cvelistv5

Published

2018-08-29 20:00

Modified

2024-09-16 17:03

Severity ?

Summary

References

URL	Tags
cybersecurity@se.com	http://www.securityfocus.com/bid/105170	Third Party Advisory, VDB Entry
cybersecurity@se.com	https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03	Mitigation, Third Party Advisory, US Government Resource
cybersecurity@se.com	https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/105170	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03	Mitigation, Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/	Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	Schneider Electric SE	PowerLogic - PM5560 prior to FW version 2.5.4	Version: PowerLogic - PM5560 prior to FW version 2.5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:37:59.640Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/"
          },
          {
            "name": "105170",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105170"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PowerLogic - PM5560 prior to FW version 2.5.4",
          "vendor": "Schneider Electric SE",
          "versions": [
            {
              "status": "affected",
              "version": "PowerLogic - PM5560 prior to FW version 2.5.4"
            }
          ]
        }
      ],
      "datePublic": "2018-08-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Cross Protocol Injection vulnerability exists in Schneider Electric\u0027s PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross Protocol Injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-08-30T19:57:02",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/"
        },
        {
          "name": "105170",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105170"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "DATE_PUBLIC": "2018-08-15T00:00:00",
          "ID": "CVE-2018-7795",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PowerLogic - PM5560 prior to FW version 2.5.4",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "PowerLogic - PM5560 prior to FW version 2.5.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Schneider Electric SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Cross Protocol Injection vulnerability exists in Schneider Electric\u0027s PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross Protocol Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/",
              "refsource": "CONFIRM",
              "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/"
            },
            {
              "name": "105170",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/105170"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2018-7795",
    "datePublished": "2018-08-29T20:00:00Z",
    "dateReserved": "2018-03-08T00:00:00",
    "dateUpdated": "2024-09-16T17:03:52.342Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-7795\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2018-08-29T20:29:00.437\",\"lastModified\":\"2024-11-21T04:12:45.000\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Cross Protocol Injection vulnerability exists in Schneider Electric\u0027s PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de inyecci\u00f3n de protocolos cruzados en el producto PowerLogic, de Schneider Electric (PM5560 anteriores a la versi\u00f3n de firmware 2.5.4). La vulnerabilidad hace que el producto sea susceptible a un ataque de Cross-Site Scripting (XSS) en su navegador web. Las entradas de usuario pueden manipularse para provocar la ejecuci\u00f3n de c\u00f3digo JavaScript.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:schneider-electric:powerlogic_pm5560_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.5.4\",\"matchCriteriaId\":\"A237BEC6-C940-49B8-B39B-E3C6DF9EAA7D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:powerlogic_pm5560:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6DDB1B76-3862-462E-B55D-875EBE508B92\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/105170\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/105170\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}"
  }
}

ICSA-18-240-03

Vulnerability from csaf_cisa

Published

2018-08-28 00:00

Modified

2018-08-28 00:00

Summary

Schneider Electric PowerLogic PM5560

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of this vulnerability could allow user input to be manipulated, allowing for remote code execution.

Critical infrastructure sectors

Energy

Countries/areas deployed

Worldwide

Company headquarters location

France

Recommended Practices

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target this vulnerability.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Ezequiel Fernandez",
          "Bertin Jose"
        ],
        "organization": "Schneider Electric",
        "summary": "reporting this vulnerability to NCCIC"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow user input to be manipulated, allowing for remote code execution.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Energy",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "France",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-18-240-03 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsa-18-240-03.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-18-240-03 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-240-03"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Schneider Electric PowerLogic PM5560",
    "tracking": {
      "current_release_date": "2018-08-28T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-18-240-03",
      "initial_release_date": "2018-08-28T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2018-08-28T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-18-240-03 Schneider Electric PowerLogic PM5560"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 2.5.4",
                "product": {
                  "name": "PowerLogic PM5560: all versions prior to firmware Version 2.5.4",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "PowerLogic PM5560"
          }
        ],
        "category": "vendor",
        "name": "Schneider Electric Software, LLC"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-7795",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The PowerLogic PM5560 product is susceptible to cross-site scripting attack on its web browser. An attacker may be able to manipulate inputs to cause execution of java script code.CVE-2018-7795 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7795"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Schneider Electric has released a fix to address this vulnerability:",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.schneider-electric.com/en/download/document/PM5560_PM5563_V2.5.4_Release/"
        },
        {
          "category": "mitigation",
          "details": "For more information please see the Schneider Electric security notification at:",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

icsa-18-240-03

Vulnerability from csaf_cisa

Published

2018-08-28 00:00

Modified

2018-08-28 00:00

Summary

Schneider Electric PowerLogic PM5560

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

Risk evaluation

Successful exploitation of this vulnerability could allow user input to be manipulated, allowing for remote code execution.

Critical infrastructure sectors

Energy

Countries/areas deployed

Worldwide

Company headquarters location

France

Recommended Practices

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

Exploitability

No known public exploits specifically target this vulnerability.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Ezequiel Fernandez",
          "Bertin Jose"
        ],
        "organization": "Schneider Electric",
        "summary": "reporting this vulnerability to NCCIC"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow user input to be manipulated, allowing for remote code execution.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Energy",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "France",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-18-240-03 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsa-18-240-03.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-18-240-03 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-240-03"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Schneider Electric PowerLogic PM5560",
    "tracking": {
      "current_release_date": "2018-08-28T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-18-240-03",
      "initial_release_date": "2018-08-28T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2018-08-28T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-18-240-03 Schneider Electric PowerLogic PM5560"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 2.5.4",
                "product": {
                  "name": "PowerLogic PM5560: all versions prior to firmware Version 2.5.4",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "PowerLogic PM5560"
          }
        ],
        "category": "vendor",
        "name": "Schneider Electric Software, LLC"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-7795",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The PowerLogic PM5560 product is susceptible to cross-site scripting attack on its web browser. An attacker may be able to manipulate inputs to cause execution of java script code.CVE-2018-7795 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7795"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Schneider Electric has released a fix to address this vulnerability:",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.schneider-electric.com/en/download/document/PM5560_PM5563_V2.5.4_Release/"
        },
        {
          "category": "mitigation",
          "details": "For more information please see the Schneider Electric security notification at:",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

fkie_cve-2018-7795

Vulnerability from fkie_nvd

Published

2018-08-29 20:29

Modified

2024-11-21 04:12

Severity ?

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
cybersecurity@se.com	http://www.securityfocus.com/bid/105170	Third Party Advisory, VDB Entry
cybersecurity@se.com	https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03	Mitigation, Third Party Advisory, US Government Resource
cybersecurity@se.com	https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/105170	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03	Mitigation, Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/	Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	schneider-electric	powerlogic_pm5560_firmware	*
	schneider-electric	powerlogic_pm5560	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:schneider-electric:powerlogic_pm5560_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A237BEC6-C940-49B8-B39B-E3C6DF9EAA7D",
              "versionEndExcluding": "2.5.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:schneider-electric:powerlogic_pm5560:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6DDB1B76-3862-462E-B55D-875EBE508B92",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Cross Protocol Injection vulnerability exists in Schneider Electric\u0027s PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de inyecci\u00f3n de protocolos cruzados en el producto PowerLogic, de Schneider Electric (PM5560 anteriores a la versi\u00f3n de firmware 2.5.4). La vulnerabilidad hace que el producto sea susceptible a un ataque de Cross-Site Scripting (XSS) en su navegador web. Las entradas de usuario pueden manipularse para provocar la ejecuci\u00f3n de c\u00f3digo JavaScript."
    }
  ],
  "id": "CVE-2018-7795",
  "lastModified": "2024-11-21T04:12:45.000",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-08-29T20:29:00.437",
  "references": [
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/105170"
    },
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03"
    },
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/105170"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/"
    }
  ],
  "sourceIdentifier": "cybersecurity@se.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-9cvx-7r58-v2x4

Vulnerability from github

Published

2022-05-14 02:01

Modified

2022-05-14 02:01

Severity ?

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-7795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-29T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A Cross Protocol Injection vulnerability exists in Schneider Electric\u0027s PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code.",
  "id": "GHSA-9cvx-7r58-v2x4",
  "modified": "2022-05-14T02:01:21Z",
  "published": "2022-05-14T02:01:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7795"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03"
    },
    {
      "type": "WEB",
      "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105170"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2018-7795

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2018-7795

Aliases

CVE-2018-7795

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-7795",
    "description": "A Cross Protocol Injection vulnerability exists in Schneider Electric\u0027s PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code.",
    "id": "GSD-2018-7795"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-7795"
      ],
      "details": "A Cross Protocol Injection vulnerability exists in Schneider Electric\u0027s PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code.",
      "id": "GSD-2018-7795",
      "modified": "2023-12-13T01:22:33.180883Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cybersecurity@schneider-electric.com",
        "DATE_PUBLIC": "2018-08-15T00:00:00",
        "ID": "CVE-2018-7795",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "PowerLogic - PM5560 prior to FW version 2.5.4",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "PowerLogic - PM5560 prior to FW version 2.5.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Schneider Electric SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A Cross Protocol Injection vulnerability exists in Schneider Electric\u0027s PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross Protocol Injection"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/",
            "refsource": "CONFIRM",
            "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/"
          },
          {
            "name": "105170",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/105170"
          },
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:schneider-electric:powerlogic_pm5560_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "2.5.4",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:schneider-electric:powerlogic_pm5560:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "ID": "CVE-2018-7795"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A Cross Protocol Injection vulnerability exists in Schneider Electric\u0027s PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-228-01/"
            },
            {
              "name": "105170",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/105170"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-240-03"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2018-11-07T19:09Z",
      "publishedDate": "2018-08-29T20:29Z"
    }
  }
}

var-201808-0965

Vulnerability from variot

A Cross Protocol Injection vulnerability exists in Schneider Electric's PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code. Schneider Electric PowerLogic PM5560 Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The Schneider Electric PowerLogic PM5560 is a versatile power metering device from Schneider Electric, France. A remote attacker can exploit the vulnerability to manipulate JavaScript code by manipulating input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201808-0965",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "powerlogic pm5560",
        "scope": "lt",
        "trust": 1.8,
        "vendor": "schneider electric",
        "version": "2.5.4"
      },
      {
        "model": "electric powerlogic pm5560",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "schneider",
        "version": "2.5.4"
      },
      {
        "model": "powerlogic pm5560",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "schneider electric",
        "version": "2.5"
      },
      {
        "model": "powerlogic pm5560",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "schneider electric",
        "version": "2.5.4"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      },
      {
        "db": "BID",
        "id": "105170"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7795"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:schneider_electric:powerlogic_pm5560_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Schneider Electric, working with Ezequiel Fernandez and Bertin Jose",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-905"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2018-7795",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CVE-2018-7795",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 8.5,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2018-17064",
            "impactScore": 7.8,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.8,
            "id": "CVE-2018-7795",
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.8,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2018-7795",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2018-7795",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2018-17064",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201808-905",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-905"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7795"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A Cross Protocol Injection vulnerability exists in Schneider Electric\u0027s PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code. Schneider Electric PowerLogic PM5560 Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The Schneider Electric PowerLogic PM5560 is a versatile power metering device from Schneider Electric, France. A remote attacker can exploit the vulnerability to manipulate JavaScript code by manipulating input. \nAn attacker may leverage this issue to execute arbitrary script code  in the browser of an unsuspecting user in the context of the affected  site. This can allow the attacker to steal cookie-based authentication  credentials and launch other attacks",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-7795"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      },
      {
        "db": "BID",
        "id": "105170"
      }
    ],
    "trust": 2.43
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-7795",
        "trust": 3.3
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-18-240-03",
        "trust": 3.3
      },
      {
        "db": "SCHNEIDER",
        "id": "SEVD-2018-228-01",
        "trust": 1.6
      },
      {
        "db": "BID",
        "id": "105170",
        "trust": 1.3
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-010008",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-905",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      },
      {
        "db": "BID",
        "id": "105170"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-905"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7795"
      }
    ]
  },
  "id": "VAR-201808-0965",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      }
    ],
    "trust": 1.225
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS",
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      }
    ]
  },
  "last_update_date": "2024-11-23T22:52:00.466000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SEVD-2018-228-01",
        "trust": 0.8,
        "url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet\u0026p_File_Name=SEVD-2018-228-01-PowerLogic+PM5560.pdf\u0026p_Doc_Ref=SEVD-2018-228-01"
      },
      {
        "title": "Patch for SchneiderElectricPowerLogic PM5560 Cross-Site Scripting Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/138983"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7795"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.3,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-18-240-03"
      },
      {
        "trust": 1.6,
        "url": "https://www.schneider-electric.com/en/download/document/sevd-2018-228-01/"
      },
      {
        "trust": 1.0,
        "url": "http://www.securityfocus.com/bid/105170"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7795"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-7795"
      },
      {
        "trust": 0.3,
        "url": "www.controlmicrosystems.com"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      },
      {
        "db": "BID",
        "id": "105170"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-905"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7795"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      },
      {
        "db": "BID",
        "id": "105170"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-905"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7795"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-08-31T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      },
      {
        "date": "2018-08-28T00:00:00",
        "db": "BID",
        "id": "105170"
      },
      {
        "date": "2018-12-04T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      },
      {
        "date": "2018-08-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201808-905"
      },
      {
        "date": "2018-08-29T20:29:00.437000",
        "db": "NVD",
        "id": "CVE-2018-7795"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-08-31T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      },
      {
        "date": "2018-08-28T00:00:00",
        "db": "BID",
        "id": "105170"
      },
      {
        "date": "2018-12-04T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-010008"
      },
      {
        "date": "2018-08-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201808-905"
      },
      {
        "date": "2024-11-21T04:12:45",
        "db": "NVD",
        "id": "CVE-2018-7795"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-905"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Schneider Electric PowerLogic PM5560 Cross-Site Scripting Vulnerability",
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-17064"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-905"
      }
    ],
    "trust": 1.2
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "XSS",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201808-905"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2018-7795

Vulnerability from cvelistv5

ICSA-18-240-03

Vulnerability from csaf_cisa

icsa-18-240-03

Vulnerability from csaf_cisa

fkie_cve-2018-7795

Vulnerability from fkie_nvd

ghsa-9cvx-7r58-v2x4

Vulnerability from github

gsd-2018-7795

Vulnerability from gsd

var-201808-0965

Vulnerability from variot

Tags

Sightings

Nomenclature