Bertin Jose

**Name of the Vulnerable Software and Affected Versions** Schneider Electric PowerLogic PM5560 versions prior to 2.5.4 **Description** A Cross Protocol Injection issue exists, making the product susceptible to cross-site scripting attacks on its web browser. User inputs can be manipulated to cause the execution of JavaScript code. The vulnerability is related to insufficient protection of the web page structure, which could allow a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 2.5.4, update to version 2.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the web interface of the PowerLogic PM5560 to minimize the risk of exploitation. Avoid using the web browser interface for sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Anti-Web through version 3.8.7 **Description** The issue allows remote authenticated users to execute arbitrary OS commands via crafted `multipart/form-data` content. This affects devices from various manufacturers, including NetBiter / HMS, Ouman EH-net, Alliance System WS100 --> AWU 500, Sauter ERW100F001, Carlo Gavazzi SIU-DLG, AEDILIS SMART-1, SYXTHSENSE WebBiter, ABB SREA, and ASCON DY WebServer. **Recommendations** For Anti-Web version 3.8.7 and earlier, consider restricting access to the `cgi-bin/write.cgi` endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `multipart/form-data` content type in the affected endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.