CVE-2017-7969 - OpenCVE

A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Citect Anywhere Powerscada Anywhere Powerscada Expert

Configuration 1 [-]

AND

cpe:2.3:a:schneider-electric:powerscada_anywhere:1.0:*:*:*:*:*:*:*

OR	cpe:2.3:a:schneider-electric:powerscada_expert:8.1:::::::*
	cpe:2.3:a:schneider-electric:powerscada_expert:8.2:::::::*

Configuration 2 [-]

cpe:2.3:a:schneider-electric:citect_anywhere:1.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/
http://www.securityfocus.com/bid/99913
https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere

History

No history.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2017-09-25T19:00:00Z

Updated: 2024-09-17T01:30:49.504Z

Reserved: 2017-04-19T00:00:00

Link: CVE-2017-7969

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-09-26T01:29:03.460

Modified: 2017-09-29T17:09:28.900

Link: CVE-2017-7969

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "PowerSCADA Anywhere", "vendor": "Schneider Electric SE", "versions": [{"status": "affected", "version": "Version 1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2"}]}, {"product": "Citect Anywhere", "vendor": "Schneider Electric SE", "versions": [{"status": "affected", "version": "version 1.0"}]}], "datePublic": "2017-06-22T00:00:00", "descriptions": [{"lang": "en", "value": "A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack."}], "problemTypes": [{"descriptions": [{"description": "Cross Site Request Forgery", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-26T09:57:01", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"name": "99913", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99913"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "DATE_PUBLIC": "2017-06-22T00:00:00", "ID": "CVE-2017-7969", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PowerSCADA Anywhere", "version": {"version_data": [{"version_value": "Version 1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2"}]}}, {"product_name": "Citect Anywhere", "version": {"version_data": [{"version_value": "version 1.0"}]}}]}, "vendor_name": "Schneider Electric SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross Site Request Forgery"}]}]}, "references": {"reference_data": [{"name": "99913", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99913"}, {"name": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere", "refsource": "CONFIRM", "url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere"}, {"name": "http://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/", "refsource": "CONFIRM", "url": "http://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:19:29.450Z"}, "title": "CVE Program Container", "references": [{"name": "99913", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99913"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/"}]}]}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2017-7969", "datePublished": "2017-09-25T19:00:00Z", "dateReserved": "2017-04-19T00:00:00", "dateUpdated": "2024-09-17T01:30:49.504Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:powerscada_anywhere:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6445511E-70B8-4E03-A178-FFDBE02E1609", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:powerscada_expert:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "AE171A71-B1AF-471B-9D27-07D4491D05B3", "vulnerable": false}, {"criteria": "cpe:2.3:a:schneider-electric:powerscada_expert:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "D2A3FA74-D201-41AA-BDA1-82816813AD11", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:citect_anywhere:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "5182F21D-1DF5-492A-9A3D-B913AC6B12F6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el componente Secure Gateway de PowerSCADA Anywhere v1.0 redistribuido con PowerSCADA Expert v8.1 y PowerSCADA Expert v8.2 y Citect Anywhere versi\u00f3n 1.0, de Schneider Electric para m\u00faltiples peticiones de cambio de estado. Este tipo de ataque requiere cierto nivel de ingenier\u00eda social para conseguir que un usuario leg\u00edtimo haga clic o acceda a un enlace o p\u00e1gina maliciosa que contenga el ataque CSRF."}], "id": "CVE-2017-7969", "lastModified": "2017-09-29T17:09:28.900", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-09-26T01:29:03.460", "references": [{"source": "cybersecurity@se.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "http://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/"}, {"source": "cybersecurity@se.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99913"}, {"source": "cybersecurity@se.com", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory", "Patch"], "url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}