Details of VAR-201808-0965

ID

VAR-201808-0965

CVE

CVE-2018-7795

TITLE

Schneider Electric PowerLogic PM5560 Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2018-17064 // CNNVD: CNNVD-201808-905

DESCRIPTION

A Cross Protocol Injection vulnerability exists in Schneider Electric's PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code. Schneider Electric PowerLogic PM5560 Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The Schneider Electric PowerLogic PM5560 is a versatile power metering device from Schneider Electric, France. A remote attacker can exploit the vulnerability to manipulate JavaScript code by manipulating input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.43

sources: NVD: CVE-2018-7795 // JVNDB: JVNDB-2018-010008 // CNVD: CNVD-2018-17064 // BID: 105170

IOT TAXONOMY

category:

['ICS', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-17064

AFFECTED PRODUCTS

vendor:	schneider electric	model:	powerlogic pm5560	scope:	lt	version:	2.5.4	Trust: 1.8
vendor:	schneider	model:	electric powerlogic pm5560	scope:	eq	version:	2.5.4	Trust: 0.6
vendor:	schneider electric	model:	powerlogic pm5560	scope:	eq	version:	2.5	Trust: 0.3
vendor:	schneider electric	model:	powerlogic pm5560	scope:	ne	version:	2.5.4	Trust: 0.3

sources: CNVD: CNVD-2018-17064 // BID: 105170 // JVNDB: JVNDB-2018-010008 // NVD: CVE-2018-7795

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-7795
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-7795
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-17064
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201808-905
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-7795
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-17064
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-7795
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-17064 // JVNDB: JVNDB-2018-010008 // CNNVD: CNNVD-201808-905 // NVD: CVE-2018-7795

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-010008 // NVD: CVE-2018-7795

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201808-905

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201808-905

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010008

PATCH

title:	SEVD-2018-228-01	url:	https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-228-01-PowerLogic+PM5560.pdf&p_Doc_Ref=SEVD-2018-228-01	Trust: 0.8
title:	Patch for SchneiderElectricPowerLogic PM5560 Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/138983	Trust: 0.6

sources: CNVD: CNVD-2018-17064 // JVNDB: JVNDB-2018-010008

EXTERNAL IDS

db:	NVD	id:	CVE-2018-7795	Trust: 3.3
db:	ICS CERT	id:	ICSA-18-240-03	Trust: 3.3
db:	SCHNEIDER	id:	SEVD-2018-228-01	Trust: 1.6
db:	BID	id:	105170	Trust: 1.3
db:	JVNDB	id:	JVNDB-2018-010008	Trust: 0.8
db:	CNVD	id:	CNVD-2018-17064	Trust: 0.6
db:	CNNVD	id:	CNNVD-201808-905	Trust: 0.6

sources: CNVD: CNVD-2018-17064 // BID: 105170 // JVNDB: JVNDB-2018-010008 // CNNVD: CNNVD-201808-905 // NVD: CVE-2018-7795

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-240-03	Trust: 3.3
url:	https://www.schneider-electric.com/en/download/document/sevd-2018-228-01/	Trust: 1.6
url:	http://www.securityfocus.com/bid/105170	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7795	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-7795	Trust: 0.8
url:	www.controlmicrosystems.com	Trust: 0.3

sources: CNVD: CNVD-2018-17064 // BID: 105170 // JVNDB: JVNDB-2018-010008 // CNNVD: CNNVD-201808-905 // NVD: CVE-2018-7795

CREDITS

Schneider Electric, working with Ezequiel Fernandez and Bertin Jose

Trust: 0.6

sources: CNNVD: CNNVD-201808-905

SOURCES

db:	CNVD	id:	CNVD-2018-17064
db:	BID	id:	105170
db:	JVNDB	id:	JVNDB-2018-010008
db:	CNNVD	id:	CNNVD-201808-905
db:	NVD	id:	CVE-2018-7795

LAST UPDATE DATE

2024-11-23T22:52:00.466000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-17064	date:	2018-08-31T00:00:00
db:	BID	id:	105170	date:	2018-08-28T00:00:00
db:	JVNDB	id:	JVNDB-2018-010008	date:	2018-12-04T00:00:00
db:	CNNVD	id:	CNNVD-201808-905	date:	2018-08-29T00:00:00
db:	NVD	id:	CVE-2018-7795	date:	2024-11-21T04:12:45

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-17064	date:	2018-08-31T00:00:00
db:	BID	id:	105170	date:	2018-08-28T00:00:00
db:	JVNDB	id:	JVNDB-2018-010008	date:	2018-12-04T00:00:00
db:	CNNVD	id:	CNNVD-201808-905	date:	2018-08-29T00:00:00
db:	NVD	id:	CVE-2018-7795	date:	2018-08-29T20:29:00.437