PT-2018-8543 · Schneider Electric · Powerscada Anywhere+2
Published
2018-02-12
·
Updated
2019-04-23
·
CVE-2017-9963
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
PowerSCADA Anywhere version 1.0
PowerSCADA Expert versions 8.1 through 8.2
Citect Anywhere version 1.0
Description
A cross-site request forgery issue exists in the Secure Gateway component, allowing for multiple state-changing requests. This type of attack requires social engineering to trick a legitimate user into accessing a malicious link or site containing the CSRF attack.
Recommendations
For PowerSCADA Anywhere version 1.0, update the Secure Gateway component to prevent cross-site request forgery attacks.
For PowerSCADA Expert versions 8.1 through 8.2, ensure the Secure Gateway component is updated to mitigate the risk of CSRF attacks.
For Citect Anywhere version 1.0, consider restricting access to the Secure Gateway component until a fix is available.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Citect Anywhere
Powerscada Anywhere
Powerscada Expert