AVEVA Clears InTouch Access Anywhere Hole

Tuesday, July 31, 2018 @ 05:07 PM gHale

AVEVA Software, LLC (AVEVA) has an update to mitigate a cross-site scripting vulnerability in its InTouch Access Anywhere, according to a report with NCCIC.

Successful exploitation of this remotely exploitable vulnerability, discovered by Google’s Security Team, may allow attackers to obtain sensitive information and/or execute Javascript or HTML code.

RELATED STORIES
WECON Mitigation for LeviStudioU Holes
Johnson Controls’ Error Message Mitigation
Davolink Clears Network Switch Hole
Moxa Fixes NPort 5210, 5230, 5232 Hole

The following versions of InTouch Access Anywhere, remote access software, use the vulnerable jQuery library:
• 2017 Update 2 and prior.

Vulnerable versions of jQuery are those prior to Version 3.0.0.

In the issue, jQuery before Version 3.0.0 is vulnerable to cross-site scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVE-2015-9251 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

The product sees use mainly in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

AVEVA recommends users install update “InTouch Access Anywhere 2017 Update 2b” or later. (login required)

In addition, AVEVA published Security Bulletin LFSEC00000126.



Leave a Reply

You must be logged in to post a comment.