Multiple Schneider Electric EcoStruxure Products CVE-2018-7797 Open Redirection Vulnerability

Bugtraq ID:	106277
Class:	Unknown
CVE:	CVE-2018-7797
Remote:	Yes
Local:	No
Published:	Dec 20 2018 12:00AM
Updated:	Dec 20 2018 12:00AM
Credit:	Donato Onofri
Vulnerable:	Schneider-Electric EcoStruxure Power SCADA Operation 8.2 Schneider-Electric EcoStruxure Power Monitoring Expert 9.0 Schneider-Electric EcoStruxure Power Monitoring Expert 8.2 Schneider-Electric EcoStruxure Energy Expert 2.0 Schneider-Electric EcoStruxure Energy Expert 1.3 Schneider-Electric EcoStruxure Power SCADA Operation 9.0
Not Vulnerable:

Multiple Schneider Electric EcoStruxure Products CVE-2018-7797 Open Redirection Vulnerability

Multiple Schneider Electric EcoStruxure Products are prone to an open-redirection vulnerability.

An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

The following versions of product are vulnerable:

EcoStruxure Power Monitoring Expert (PME) version 8.2 all editions and 9.0
EcoStruxure Energy Expert 1.3 and 2.0
EcoStruxure Power SCADA Operation (PSO) 8.2
EcoStruxure Power SCADA Operation (PSO) 9.0

Multiple Schneider Electric EcoStruxure Products CVE-2018-7797 Open Redirection Vulnerability

An attacker can exploit this issue by enticing an unsuspecting victim to following a malicious URI.

Multiple Schneider Electric EcoStruxure Products CVE-2018-7797 Open Redirection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.