CVE-2023-5987 - OpenCVE

A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Ecostruxure Power Monitoring Expert

Configuration 1 [-]

OR	cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:2020:-::::::
	cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:2020:cumulative_update_1::::::
	cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:2020:cumulative_update_2::::::
	cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:2021:-::::::
	cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:2021:cumulative_update_1::::::

No data.

References

Link	Providers
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-02.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2023-11-15T03:48:50.993Z

Updated: 2024-08-02T08:14:25.122Z

Reserved: 2023-11-07T10:58:51.030Z

Link: CVE-2023-5987

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-11-15T04:15:19.700

Modified: 2023-11-30T15:05:45.607

Link: CVE-2023-5987

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5987", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "state": "PUBLISHED", "assignerShortName": "schneider", "dateReserved": "2023-11-07T10:58:51.030Z", "datePublished": "2023-11-15T03:48:50.993Z", "dateUpdated": "2024-08-02T08:14:25.122Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EcoStruxure Power Monitoring Expert (PME)", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Version 2020 CU2 and prior"}, {"status": "affected", "version": "Version 2021 CU1 and prior"}]}, {"defaultStatus": "unaffected", "product": "EcoStruxure Power Operation (EPO) \u2013 Advanced Reporting and Dashboards Module", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Advanced Reporting and Dashboards Module 2021 prior to CU2 for EcoStruxure Power Operation 2021"}, {"status": "affected", "version": "Advanced Reporting and Dashboards Module 2020 prior to CU3"}]}, {"defaultStatus": "unaffected", "product": "EcoStruxure Power SCADA Operation (PSO) - Advanced Reporting and Dashboards Module", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "EcoStruxure Power SCADA Operation (PSO) 2020 or 2020 R2"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nA CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)\nvulnerability that could cause a vulnerability leading to a cross site scripting condition where\nattackers can have a victim\u2019s browser run arbitrary JavaScript when they visit a page containing\nthe injected payload.\n\n"}], "value": "\nA CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)\nvulnerability that could cause a vulnerability leading to a cross site scripting condition where\nattackers can have a victim\u2019s browser run arbitrary JavaScript when they visit a page containing\nthe injected payload.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2023-11-15T03:48:50.993Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-02.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:14:25.122Z"}, "title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-02.pdf", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:2020:-:*:*:*:*:*:*", "matchCriteriaId": "E4A6EB67-7D2A-4899-BAC7-18BD6F5D6700", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:2020:cumulative_update_1:*:*:*:*:*:*", "matchCriteriaId": "62689EF4-C9D4-47FB-9722-C9C2EFB0C858", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:2020:cumulative_update_2:*:*:*:*:*:*", "matchCriteriaId": "2D20050D-A7BB-4BB1-9C4C-DB3321DF087B", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:2021:-:*:*:*:*:*:*", "matchCriteriaId": "B4579BF1-DD9F-4AD7-A1CE-2AD2B7389B8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:2021:cumulative_update_1:*:*:*:*:*:*", "matchCriteriaId": "B38506D4-26CD-405C-99FC-0E8F9D39DA57", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nA CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)\nvulnerability that could cause a vulnerability leading to a cross site scripting condition where\nattackers can have a victim\u2019s browser run arbitrary JavaScript when they visit a page containing\nthe injected payload.\n\n"}, {"lang": "es", "value": "Una vulnerabilidad CWE-79: Neutralizaci\u00f3n Inadecuada de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web (Cross-site Scripting) que podr\u00eda causar una vulnerabilidad que conduzca a una condici\u00f3n de Cross-Site Scripting donde los atacantes pueden hacer que el navegador de la v\u00edctima ejecute JavaScript arbitrario cuando visitan una p\u00e1gina que contiene un payload inyectado."}], "id": "CVE-2023-5987", "lastModified": "2023-11-30T15:05:45.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "cybersecurity@se.com", "type": "Secondary"}]}, "published": "2023-11-15T04:15:19.700", "references": [{"source": "cybersecurity@se.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-02.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cybersecurity@se.com", "type": "Primary"}]}