vendor:
Telecontrol
by:
SecurityFocus
7,5
CVSS
HIGH
HTML-Injection
79
CWE
Product Name: Telecontrol
Affected Version From: Schneider Electric Telecontrol Kerweb versions prior to 3.0.1, Schneider Electric Telecontrol Kerwin versions prior to 6.0.1
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012
Schneider Electric Telecontrol Products HTML-Injection Vulnerability
Multiple Schneider Electric Telecontrol products are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied data before it is used in dynamic content. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
Mitigation:
Input validation should be used to ensure that untrusted data is not used to generate dynamic content.
