ID

VAR-201112-0182


CVE

CVE-2011-4263


TITLE

PowerChute Business Edition vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2011-000100

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Schneider Electric PowerChute Business Edition before 8.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. PowerChute Business Edition contains a cross-site scripting vulnerability. PowerChute Business Edition from Schneider Electric is a power management software. PowerChute Business Edition contains a cross-site scripting vulnerability. Jun Okada of GLOBAL TECHNOLOGY CORPORATION reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary script may be executed on the user's web browser. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: APC PowerChute Business Edition Unspecified Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA47113 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47113/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47113 RELEASE DATE: 2011-12-13 DISCUSS ADVISORY: http://secunia.com/advisories/47113/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47113/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47113 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in APC PowerChute Business Edition, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. SOLUTION: Update to version 8.5. ORIGINAL ADVISORY: JVN: https://jvn.jp/en/jp/JVN61695284/index.html http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000100.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.7

sources: NVD: CVE-2011-4263 // JVNDB: JVNDB-2011-000100 // CNVD: CNVD-2011-5251 // BID: 51022 // IVD: 58a2b8ce-2354-11e6-abef-000c29c66e3d // PACKETSTORM: 107938

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 58a2b8ce-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5251

AFFECTED PRODUCTS

vendor:apcmodel:powerchutescope:eqversion:7.0.4

Trust: 1.6

vendor:apcmodel:powerchutescope:eqversion:6.0

Trust: 1.6

vendor:apcmodel:powerchutescope:eqversion:7.1

Trust: 1.6

vendor:apcmodel:powerchutescope:lteversion:8.0.1

Trust: 1.0

vendor:schneidermodel:electric powerchute business editionscope:eqversion:0

Trust: 0.9

vendor:schneider electricmodel:powerchutescope:eqversion:(business) prior to 8.5

Trust: 0.8

vendor:apcmodel:powerchutescope:eqversion:8.0.1

Trust: 0.6

vendor:schneidermodel:electric powerchute business editionscope:neversion:8.5

Trust: 0.3

vendor:powerchutemodel: - scope:eqversion:6.0

Trust: 0.2

vendor:powerchutemodel: - scope:eqversion:7.0.4

Trust: 0.2

vendor:powerchutemodel: - scope:eqversion:7.1

Trust: 0.2

vendor:powerchutemodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 58a2b8ce-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5251 // BID: 51022 // JVNDB: JVNDB-2011-000100 // CNNVD: CNNVD-201112-079 // NVD: CVE-2011-4263

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-4263
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2011-000100
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201112-079
value: MEDIUM

Trust: 0.6

IVD: 58a2b8ce-2354-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2011-4263
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2011-000100
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

IVD: 58a2b8ce-2354-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 58a2b8ce-2354-11e6-abef-000c29c66e3d // JVNDB: JVNDB-2011-000100 // CNNVD: CNNVD-201112-079 // NVD: CVE-2011-4263

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2011-000100 // NVD: CVE-2011-4263

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201112-079

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 107938 // CNNVD: CNNVD-201112-079

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-000100

PATCH

title:PowerChute Business Editionurl:http://www.apc.com/products/family/index.cfm?id=125&ISOCountryCode=us

Trust: 0.8

title:Schneider Electric PowerChute Business Edition has patches for unidentified cross-site scripting vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/6260

Trust: 0.6

sources: CNVD: CNVD-2011-5251 // JVNDB: JVNDB-2011-000100

EXTERNAL IDS

db:NVDid:CVE-2011-4263

Trust: 3.5

db:JVNid:JVN61695284

Trust: 3.4

db:JVNDBid:JVNDB-2011-000100

Trust: 2.8

db:CNVDid:CNVD-2011-5251

Trust: 0.8

db:CNNVDid:CNNVD-201112-079

Trust: 0.8

db:JVNid:JVN#61695284

Trust: 0.6

db:BIDid:51022

Trust: 0.3

db:SECUNIAid:47113

Trust: 0.3

db:IVDid:58A2B8CE-2354-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:PACKETSTORMid:107938

Trust: 0.1

sources: IVD: 58a2b8ce-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5251 // BID: 51022 // JVNDB: JVNDB-2011-000100 // PACKETSTORM: 107938 // CNNVD: CNNVD-201112-079 // NVD: CVE-2011-4263

REFERENCES

url:http://jvn.jp/en/jp/jvn61695284/index.html

Trust: 2.8

url:http://jvndb.jvn.jp/jvndb/jvndb-2011-000100

Trust: 1.6

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4263

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4263

Trust: 0.8

url:http://jvn.jp/en/jp/jvn61695284/index.htmlhttp

Trust: 0.6

url:http://jvndb.jvn.jp/en/contents/2011/jvndb-2011-000100.html

Trust: 0.4

url:http://www.apc.com/products/family/index.cfm?id=125&isocountrycode=us

Trust: 0.3

url:http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true

Trust: 0.3

url:http://secunia.com/company/jobs/

Trust: 0.1

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/advisories/47113/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.1

url:http://secunia.com/advisories/47113/#comments

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=47113

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

sources: CNVD: CNVD-2011-5251 // BID: 51022 // JVNDB: JVNDB-2011-000100 // PACKETSTORM: 107938 // CNNVD: CNNVD-201112-079 // NVD: CVE-2011-4263

CREDITS

Jun Okada of GLOBAL TECHNOLOGY CORPORATION

Trust: 0.3

sources: BID: 51022

SOURCES

db:IVDid:58a2b8ce-2354-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2011-5251
db:BIDid:51022
db:JVNDBid:JVNDB-2011-000100
db:PACKETSTORMid:107938
db:CNNVDid:CNNVD-201112-079
db:NVDid:CVE-2011-4263

LAST UPDATE DATE

2024-11-23T22:27:34.993000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2011-5251date:2011-12-14T00:00:00
db:BIDid:51022date:2015-03-19T09:36:00
db:JVNDBid:JVNDB-2011-000100date:2011-12-06T00:00:00
db:CNNVDid:CNNVD-201112-079date:2011-12-08T00:00:00
db:NVDid:CVE-2011-4263date:2024-11-21T01:32:06.440

SOURCES RELEASE DATE

db:IVDid:58a2b8ce-2354-11e6-abef-000c29c66e3ddate:2011-12-14T00:00:00
db:CNVDid:CNVD-2011-5251date:2011-12-14T00:00:00
db:BIDid:51022date:2011-12-12T00:00:00
db:JVNDBid:JVNDB-2011-000100date:2011-12-06T00:00:00
db:PACKETSTORMid:107938date:2011-12-16T07:34:32
db:CNNVDid:CNNVD-201112-079date:2011-12-08T00:00:00
db:NVDid:CVE-2011-4263date:2011-12-07T19:55:01.957