CVE-2019-10933

Name of the Vulnerable Software and Affected Versions Spectrum Power 3 (Corporate User Interface) versions 3.11 and earlier Spectrum Power 4 (Corporate User Interface) version 4.75 Spectrum Power 5 (Corporate User Interface) versions 5.50 and earlier Spectrum Power 7 (Corporate User Interface) versions 2.20 and earlier

Description A vulnerability has been identified that could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation, and the user does not need to be logged into the web interface for the exploitation to succeed. The vulnerability is related to the web server not taking measures to protect the web page structure, which could allow a remote attacker to perform XSS attacks using a specially crafted malicious link. At the time of publishing, no public exploitation is known.

Recommendations For Spectrum Power 3 (Corporate User Interface) versions 3.11 and earlier, update to a version later than 3.11. For Spectrum Power 4 (Corporate User Interface) version 4.75, update to a version later than 4.75. For Spectrum Power 5 (Corporate User Interface) versions 5.50 and earlier, update to a version 5.50 or later. For Spectrum Power 7 (Corporate User Interface) versions 2.20 and earlier, update to a version later than 2.20. As a temporary workaround, consider restricting access to the web server to minimize the risk of exploitation.