Vulnerability Details : CVE-2018-7797
A URL redirection vulnerability exists in Power Monitoring Expert, Energy Expert (formerly Power Manager) - EcoStruxure Power Monitoring Expert (PME) v8.2 (all editions), EcoStruxure Energy Expert 1.3 (formerly Power Manager), EcoStruxure Power SCADA Operation (PSO) 8.2 Advanced Reports and Dashboards Module, EcoStruxure Power Monitoring Expert (PME) v9.0, EcoStruxure Energy Expert v2.0, and EcoStruxure Power SCADA Operation (PSO) 9.0 Advanced Reports and Dashboards Module which could cause a phishing attack when redirected to a malicious site.
Vulnerability category: Open redirect
Products affected by CVE-2018-7797
- cpe:2.3:a:schneider-electric:ecostruxure_power_scada_operation:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:schneider-electric:ecostruxure_power_scada_operation:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:schneider-electric:ecostruxure_energy_expert:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:schneider-electric:ecostruxure_energy_expert:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:9.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-7797
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-7797
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2018-7797
-
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-7797
-
http://www.securityfocus.com/bid/106277
Multiple Schneider Electric EcoStruxure Products CVE-2018-7797 Open Redirection VulnerabilityThird Party Advisory;VDB Entry
-
https://www.schneider-electric.com/en/download/document/SEVD-2018-347-01/
Vendor Advisory
Jump to