Main Vulnerability Database Vulnerabilities #VU38199

Input validation error in Citect Anywhere - CVE-2017-7972

Published: September 26, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU38199

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-7972

CWE-ID: CWE-20

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: Schneider Electric

Affected software:
Citect Anywhere

Detailed vulnerability description

The vulnerability allows a remote authenticated user to read and manipulate data.

A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 that allows the ability to escape out of remote PowerSCADA Anywhere applications and launch other processes.

How to mitigate CVE-2017-7972

Install update from vendor's website.

Sources

http://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/
http://www.securityfocus.com/bid/99913
https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere

Input validation error in Citect Anywhere - CVE-2017-7972

Detailed vulnerability description

How to mitigate CVE-2017-7972

Sources

Please verify you're human