Vulnerability Details : CVE-2019-6528
PSI GridConnect GmbH Telecontrol Gateway and Smart Telecontrol Unit family, IEC104 Security Proxy versions Telecontrol Gateway 3G Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior, and Telecontrol Gateway XS-MU Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior, and Telecontrol Gateway VM Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior, and Smart Telecontrol Unit TCG Versions 5.0.27, 5.1.19, 6.0.16 and prior, and IEC104 Security Proxy Version 2.2.10 and prior The web application browser interprets input as active HTML, JavaScript, or VBScript, which could allow an attacker to execute arbitrary code.
Vulnerability category: Cross site scripting (XSS)Execute code
Products affected by CVE-2019-6528
- cpe:2.3:o:psigridconnect:iec104_security_proxy_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:psigridconnect:telecontrol_gateway_xs-mu_firmware:*:*:*:*:*:*:*:*
- Psigridconnect » Telecontrol Gateway Xs-mu FirmwareVersions from including (>=) 5.1.21 and up to, including, (<=) 6.0.16cpe:2.3:o:psigridconnect:telecontrol_gateway_xs-mu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:psigridconnect:telecontrol_gateway_vm_firmware:*:*:*:*:*:*:*:*
- Psigridconnect » Telecontrol Gateway Vm FirmwareVersions from including (>=) 5.1.21 and up to, including, (<=) 6.0.16cpe:2.3:o:psigridconnect:telecontrol_gateway_vm_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:psigridconnect:telecontrol_gateway_3g_firmware:*:*:*:*:*:*:*:*
- Psigridconnect » Telecontrol Gateway 3g FirmwareVersions from including (>=) 5.1.21 and before (<) 6.0.16cpe:2.3:o:psigridconnect:telecontrol_gateway_3g_firmware:*:*:*:*:*:*:*:*
- Psigridconnect » Smart Telecontrol Unit Tcg FirmwareVersions from including (>=) 5.1.21 and before (<) 6.0.16cpe:2.3:o:psigridconnect:smart_telecontrol_unit_tcg_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:psigridconnect:smart_telecontrol_unit_tcg_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-6528
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-6528
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-6528
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- ics-cert@hq.dhs.gov (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2019-6528
-
https://ics-cert.us-cert.gov/advisories/ICSA-19-059-01
PSI GridConnect Telecontrol | CISAThird Party Advisory;US Government Resource
-
http://www.securityfocus.com/bid/107201
Multiple PSI GridConnect GmbH Products CVE-2019-6528 Cross Site Scripting VulnerabilityThird Party Advisory;VDB Entry
Jump to