Schneider Electric PowerChute Business Edition Unspecified Cross Site Scripting Vulnerability

Bugtraq ID:	51022
Class:	Input Validation Error
CVE:	CVE-2011-4263
Remote:	Yes
Local:	No
Published:	Dec 12 2011 12:00AM
Updated:	Mar 19 2015 09:36AM
Credit:	Jun Okada of GLOBAL TECHNOLOGY CORPORATION
Vulnerable:	Schneider Electric PowerChute Business Edition 0
Not Vulnerable:	Schneider Electric PowerChute Business Edition 8.5

Schneider Electric PowerChute Business Edition Unspecified Cross Site Scripting Vulnerability

PowerChute Business Edition from Schneider Electric is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

PowerChute Business Edition versions prior to 8.5 are vulnerable.

Schneider Electric PowerChute Business Edition Unspecified Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

Schneider Electric PowerChute Business Edition Unspecified Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for details.

Schneider Electric PowerChute Business Edition Unspecified Cross Site Scripting Vulnerability

References:

• PowerChute Business Edition Homepage (APC)
  
• Schneider Electric Homepage (Schneider Electric)
  
• JVN#61695284 PowerChute Business Edition vulnerable to cross-site scripting (JVN)
  
• JVNDB-2011-000100 PowerChute Business Edition vulnerable to cross-site scripting (JVN)