CVE-2020-7570

Name of the Vulnerable Software and Affected Versions: EcoStruxure Building Operation WebReports versions 1.9 through 3.1

Description: A Cross-site Scripting stored vulnerability exists due to improper neutralization of input during web page generation, allowing an authenticated remote user to inject arbitrary web script or HTML. This is caused by incorrect sanitization of user-supplied data, which could lead to a Cross-Site Scripting stored attack against other WebReport users. The vulnerability may also allow a remote attacker to upload malicious files and execute arbitrary code.

Recommendations: For versions 1.9 through 3.1, update to a version that properly sanitizes user-supplied data to prevent Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the WebReports feature until a patch is available. Additionally, restrict the ability of users to upload files to minimize the risk of exploitation.