Input validation error in Citect Anywhere - CVE-2017-7970
Published: September 26, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38197
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-7970
CWE-ID: CWE-20
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Schneider Electric
Affected software:
Citect Anywhere
Citect Anywhere
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 that allows the ability to specify Arbitrary Server Target Nodes in connection requests to the Secure Gateway and Server components.
How to mitigate CVE-2017-7970
Install update from vendor's website.