Schneider Electric Kerweb/Kerwin多个跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121102 漏洞类型 跨站脚本
发布时间 2012-05-06 更新时间 2012-05-06
CVE编号 CVE-2012-1990 CNNVD-ID CNNVD-201205-392
漏洞平台 PHP CVSS评分 4.3

Multiple Schneider Electric Telecontrol products are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied data before it is used in dynamic content.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

The following products are affected:

Schneider Electric Telecontrol Kerweb versions prior to 3.0.1
Schneider Electric Telecontrol Kerwin versions prior to 6.0.1[XSS]
Schneider Electric Telecontrol Kerwin 6.0.0 Schneider Electric Telecontrol Kerweb 3.0.0