CVE-2018-7772

Name of the Vulnerable Software and Affected Versions: Schneider Electric U.motion Builder versions prior to 1.3.4

Description: The issue exists in the processing of applets exposed on the web service. It involves a SQL injection vulnerability in the underlying SQLite database query, which checks if a user is logged in. The loginSeed parameter is susceptible to this injection and can be embedded in the HTTP cookie of the request.

Recommendations: For versions prior to 1.3.4, update to version 1.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable applets to minimize the risk of exploitation. Avoid using the loginSeed parameter in the affected HTTP cookie until the issue is resolved.