PT-2017-18035 · Schneider Electric · Powerscada Anywhere+2
Published
2017-09-25
·
Updated
2017-09-29
·
CVE-2017-7969
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
PowerSCADA Anywhere version 1.0
PowerSCADA Expert versions 8.1 through 8.2
Citect Anywhere version 1.0
Description
A cross-site request forgery issue exists in the Secure Gateway component, allowing for multiple state-changing requests. This type of attack requires social engineering to trick a legitimate user into accessing a malicious link or site containing the CSRF attack.
Recommendations
For PowerSCADA Anywhere version 1.0, update to a version that includes a fix for this issue.
For PowerSCADA Expert versions 8.1 through 8.2, update to a version that includes a fix for this issue.
For Citect Anywhere version 1.0, update to a version that includes a fix for this issue.
As a temporary workaround, consider restricting access to the Secure Gateway component to minimize the risk of exploitation.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Citect Anywhere
Powerscada Anywhere
Powerscada Expert