CVE-2015-6461

Name of the Vulnerable Software and Affected Versions Schneider Electric Modicon BMXNOC0401 Schneider Electric Modicon BMXNOE0100 Schneider Electric Modicon BMXNOE0110 Schneider Electric Modicon BMXNOE0110H Schneider Electric Modicon BMXNOR0200H Schneider Electric Modicon BMXP342020 Schneider Electric Modicon BMXP342020H Schneider Electric Modicon BMXP342030 Schneider Electric Modicon BMXP3420302 Schneider Electric Modicon BMXP3420302H Schneider Electric Modicon BMXP342030H

Description The issue allows an attacker to craft a specific URL referencing the PLC web server, which, when launched, will result in the browser redirecting to a remote file via a Java script loaded with the web page. This is related to remote file inclusion.

Recommendations For each of the affected Schneider Electric Modicon devices, consider restricting access to the web server as a temporary workaround until a patch is available. Avoid using the PLC web server for sensitive operations until the issue is resolved. As a temporary mitigation measure, consider disabling Java script loading in the web page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.