Schneider Fixes XSS Vulnerability

Wednesday, June 22, 2016 @ 02:06 PM gHale


Schneider Electric created a firmware update to mitigate a cross-site scripting (XSS) vulnerability in its PowerLogic PM8ECC communications add-on module for the Series 800 PowerMeter, according to a report with ICS-CERT.

PowerLogic PM8ECC, firmware versions prior to Version 2.651 suffer from the remotely exploitable vulnerability.

RELATED STORIES
Moxa Fixes Switch Vulnerability
OSIsoft Fixes Input Validation Hole
OSIsoft Fixes Input Validation Issue
Siemens Mitigates WinCC Vulnerability

Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data ends up returned to the web browser without being made safe to display.

Schneider Electric’s corporate headquarters is located in Paris, France, and it maintains offices in more than 100 countries worldwide.

PowerLogic PM8ECC is a communications add-on module for the Series 800 PowerMeter. PowerLogic PM8ECC sees action in the commercial facilities sector. Schneider Electric said the product sees use on a global basis.

The XSS vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript.

CVE-2016-4513 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

Click here for the PowerLogic PM8ECC firmware Version 2.65.