Alisa Esage Shevchenko

**Name of the Vulnerable Software and Affected Versions** Schneider Electric InduSoft Web Studio versions prior to 7.1.3.5 Patch 5 Wonderware InTouch Machine Edition versions prior to 7.1 SP3 Patch 5 **Description** The issue allows local users to obtain sensitive information by reading a file due to the use of cleartext for project-window password storage. **Recommendations** For Schneider Electric InduSoft Web Studio versions prior to 7.1.3.5 Patch 5, update to version 7.1.3.5 Patch 5 or later. For Wonderware InTouch Machine Edition versions prior to 7.1 SP3 Patch 5, update to version 7.1 SP3 Patch 5 or later.

**Name of the Vulnerable Software and Affected Versions** Schneider Electric InduSoft Web Studio versions prior to 7.1.3.4 SP3 Patch 4 Schneider Electric InTouch Machine Edition 2014 versions prior to 7.1.3.4 SP3 Patch 4 **Description** The issue allows local users to obtain sensitive information by discovering a hardcoded cleartext password used to control read access to Project files and Project Configuration files. **Recommendations** For Schneider Electric InduSoft Web Studio versions prior to 7.1.3.4 SP3 Patch 4, update to version 7.1.3.4 SP3 Patch 4 or later. For Schneider Electric InTouch Machine Edition 2014 versions prior to 7.1.3.4 SP3 Patch 4, update to version 7.1.3.4 SP3 Patch 4 or later.

**Name of the Vulnerable Software and Affected Versions** Schneider Electric InduSoft Web Studio versions prior to 7.1.3.4 SP3 Patch 4 Schneider Electric InTouch Machine Edition 2014 versions prior to 7.1.3.4 SP3 Patch 4 **Description** The issue allows remote attackers to obtain access via a brute-force password-guessing attack, as the HMI user interface lists all valid usernames. **Recommendations** For Schneider Electric InduSoft Web Studio versions prior to 7.1.3.4 SP3 Patch 4, update to version 7.1.3.4 SP3 Patch 4 or later. For Schneider Electric InTouch Machine Edition 2014 versions prior to 7.1.3.4 SP3 Patch 4, update to version 7.1.3.4 SP3 Patch 4 or later.

**Name of the Vulnerable Software and Affected Versions** Schneider Electric InduSoft Web Studio versions prior to 7.1.3.4 SP3 Patch 4 Schneider Electric InTouch Machine Edition 2014 versions prior to 7.1.3.4 SP3 Patch 4 **Description** The issue allows remote attackers to obtain sensitive information by sniffing the network, as cleartext credentials are transmitted. **Recommendations** For Schneider Electric InduSoft Web Studio versions prior to 7.1.3.4 SP3 Patch 4, update to version 7.1.3.4 SP3 Patch 4 or later. For Schneider Electric InTouch Machine Edition 2014 versions prior to 7.1.3.4 SP3 Patch 4, update to version 7.1.3.4 SP3 Patch 4 or later.