Juan Francisco Bolivar

**Name of the Vulnerable Software and Affected Versions** Exis Contexis versions prior to 2.0 **Description** A cross-site scripting (XSS) issue exists in the photo gallery model, allowing remote attackers to inject arbitrary web script or HTML via the `image` parameter in a detail action. **Recommendations** For versions prior to 2.0, update to version 2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the photo gallery model to minimize the risk of exploitation. Avoid using the `image` parameter in the affected detail action until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Schneider Electric Modicon BMXNOC0401 Schneider Electric Modicon BMXNOE0100 Schneider Electric Modicon BMXNOE0110 Schneider Electric Modicon BMXNOE0110H Schneider Electric Modicon BMXNOR0200H Schneider Electric Modicon BMXP342020 Schneider Electric Modicon BMXP342020H Schneider Electric Modicon BMXP342030 Schneider Electric Modicon BMXP3420302 Schneider Electric Modicon BMXP3420302H Schneider Electric Modicon BMXP342030H **Description** The issue allows an attacker to craft a specific URL referencing the PLC web server, which, when launched, will result in the browser redirecting to a remote file via a Java script loaded with the web page. This is related to remote file inclusion. **Recommendations** For each of the affected Schneider Electric Modicon devices, consider restricting access to the web server as a temporary workaround until a patch is available. Avoid using the PLC web server for sensitive operations until the issue is resolved. As a temporary mitigation measure, consider disabling Java script loading in the web page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Schneider Electric Modicon BMXNOC0401 Schneider Electric Modicon BMXNOE0100 Schneider Electric Modicon BMXNOE0110 Schneider Electric Modicon BMXNOE0110H Schneider Electric Modicon BMXNOR0200H Schneider Electric Modicon BMXP342020 Schneider Electric Modicon BMXP342020H Schneider Electric Modicon BMXP342030 Schneider Electric Modicon BMXP3420302 Schneider Electric Modicon BMXP3420302H Schneider Electric Modicon BMXP342030H **Description** The issue allows an attacker to craft a specific URL that contains JavaScript, which will be executed on the client browser of the PLC. This is a Reflected Cross-Site Scripting (nonpersistent) issue. **Recommendations** For each of the affected devices, apply the recommended patch or update from Schneider Electric to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ISL Desktop plugin for Windows versions prior to 1.4.7 for ISL Light 3.5.4 and earlier **Description** The issue allows remote authenticated users to obtain sensitive information by pasting the clipboard contents that have been copied by another user in the session. **Recommendations** For versions prior to 1.4.7, update to version 1.4.7 or later to resolve the issue.