CVE-2012-1990

Name of the Vulnerable Software and Affected Versions Schneider Electric Kerweb versions prior to 3.0.1 Schneider Electric Kerwin versions prior to 6.0.1

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the evtvariablename parameter in an evts.xml action to kw.dll, unspecified search fields, or unspecified content-display fields.

Recommendations For Schneider Electric Kerweb versions prior to 3.0.1, update to version 3.0.1 or later. For Schneider Electric Kerwin versions prior to 6.0.1, update to version 6.0.1 or later. As a temporary workaround, consider restricting access to the kw.dll and evts.xml actions until a patch is available. Avoid using the evtvariablename parameter in the affected API endpoint until the issue is resolved.