Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2017-5571 (GCVE-0-2017-5571)
Vulnerability from cvelistv5
Published
2017-03-03 15:00
Modified
2024-08-05 15:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:04:15.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"name": "96028",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96028"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.citrix.com/article/CTX219885"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-02-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-29T19:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"name": "96028",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96028"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.citrix.com/article/CTX219885"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5571",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager",
"refsource": "CONFIRM",
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"name": "96028",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96028"
},
{
"name": "https://support.citrix.com/article/CTX219885",
"refsource": "CONFIRM",
"url": "https://support.citrix.com/article/CTX219885"
},
{
"name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/",
"refsource": "CONFIRM",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/",
"refsource": "CONFIRM",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5571",
"datePublished": "2017-03-03T15:00:00",
"dateReserved": "2017-01-23T00:00:00",
"dateUpdated": "2024-08-05T15:04:15.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2017-5571\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-03-03T15:59:00.883\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de redirecci\u00f3n abierta en el componente lmadmin en Flexera FlexNet Publisher (tambi\u00e9n conocido como Flex License Manager) 11.14.1 y versiones anteriores, como se utiliza en Citrix License Server para Windows y el Citrix License Server VPX, permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a trav\u00e9s de vectores no especificados.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flexerasoftware:flexnet_publisher:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"11.14.1\",\"matchCriteriaId\":\"27B21AC4-B047-470E-BE67-A503B6E935A9\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/96028\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://support.citrix.com/article/CTX219885\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/96028\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.citrix.com/article/CTX219885\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
var-201703-0722
Vulnerability from variot
Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Citrix License Server for Windows and License Server VPX are products of Citrix Systems. The former is a Windows-based authentication server, and the latter is an authentication server device. The attacker exploited the vulnerability to execute a specially crafted URI and induced user clicks. When the user clicks on the link, they are redirected to the attacker-controlled website, causing a phishing attack. Other attacks are possible
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201703-0722",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "flexnet publisher",
"scope": "lte",
"trust": 1.0,
"vendor": "flexerasoftware",
"version": "11.14.1"
},
{
"model": "flexnet publisher",
"scope": "lte",
"trust": 0.8,
"vendor": "flexera",
"version": "11.14.1"
},
{
"model": "license server for windows",
"scope": "lte",
"trust": 0.6,
"vendor": "citrix",
"version": "\u003c=11.14.0.1"
},
{
"model": "license server vpx",
"scope": "lte",
"trust": 0.6,
"vendor": "citrix",
"version": "\u003c=11.14.0.1"
},
{
"model": "flexnet publisher",
"scope": "eq",
"trust": 0.6,
"vendor": "flexerasoftware",
"version": "11.14.1"
},
{
"model": "flexnet publisher",
"scope": "eq",
"trust": 0.3,
"vendor": "flexera",
"version": "11.14.1"
},
{
"model": "license server vpx",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.9"
},
{
"model": "license server vpx",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.6"
},
{
"model": "license server vpx",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.5"
},
{
"model": "license server vpx",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.14.0.1"
},
{
"model": "license server vpx",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.13.1.2"
},
{
"model": "license server vpx",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.12"
},
{
"model": "license server vpx",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.11"
},
{
"model": "license server vpx",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.10"
},
{
"model": "license server for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.11.1"
},
{
"model": "license server for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.9"
},
{
"model": "license server for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.6"
},
{
"model": "license server for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.5"
},
{
"model": "license server for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.14.0.1"
},
{
"model": "license server for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.13.1.2"
},
{
"model": "license server for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.12"
},
{
"model": "license server for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.11"
},
{
"model": "license server for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "11.10"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "flexnet publisher",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74"
},
{
"db": "CNVD",
"id": "CNVD-2017-01545"
},
{
"db": "BID",
"id": "96028"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002122"
},
{
"db": "CNNVD",
"id": "CNNVD-201702-207"
},
{
"db": "NVD",
"id": "CVE-2017-5571"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:flexerasoftware:flexnet_publisher",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-002122"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jan Rude",
"sources": [
{
"db": "BID",
"id": "96028"
},
{
"db": "CNNVD",
"id": "CNNVD-201702-207"
}
],
"trust": 0.9
},
"cve": "CVE-2017-5571",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2017-5571",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2017-01545",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2017-5571",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.8,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-5571",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2017-5571",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2017-01545",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201702-207",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74",
"trust": 0.2,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74"
},
{
"db": "CNVD",
"id": "CNVD-2017-01545"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002122"
},
{
"db": "CNNVD",
"id": "CNNVD-201702-207"
},
{
"db": "NVD",
"id": "CVE-2017-5571"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Citrix License Server for Windows and License Server VPX are products of Citrix Systems. The former is a Windows-based authentication server, and the latter is an authentication server device. The attacker exploited the vulnerability to execute a specially crafted URI and induced user clicks. When the user clicks on the link, they are redirected to the attacker-controlled website, causing a phishing attack. Other attacks are possible",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-5571"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002122"
},
{
"db": "CNVD",
"id": "CNVD-2017-01545"
},
{
"db": "BID",
"id": "96028"
},
{
"db": "IVD",
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-5571",
"trust": 3.5
},
{
"db": "BID",
"id": "96028",
"trust": 2.5
},
{
"db": "ICS CERT",
"id": "ICSA-18-144-01",
"trust": 1.8
},
{
"db": "SCHNEIDER",
"id": "SEVD-2018-137-01",
"trust": 1.0
},
{
"db": "SCHNEIDER",
"id": "SEVD-2018-144-01",
"trust": 1.0
},
{
"db": "CNVD",
"id": "CNVD-2017-01545",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201702-207",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002122",
"trust": 0.8
},
{
"db": "IVD",
"id": "9FF100A5-A25A-47CC-A9F4-725B8FF0FB74",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74"
},
{
"db": "CNVD",
"id": "CNVD-2017-01545"
},
{
"db": "BID",
"id": "96028"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002122"
},
{
"db": "CNNVD",
"id": "CNNVD-201702-207"
},
{
"db": "NVD",
"id": "CVE-2017-5571"
}
]
},
"id": "VAR-201703-0722",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74"
},
{
"db": "CNVD",
"id": "CNVD-2017-01545"
}
],
"trust": 1.271001215
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74"
},
{
"db": "CNVD",
"id": "CNVD-2017-01545"
}
]
},
"last_update_date": "2024-11-23T21:00:12.385000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CTX219885",
"trust": 0.8,
"url": "https://support.citrix.com/article/CTX219885"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.flexerasoftware.jp/producer/"
},
{
"title": "Patch for the Citrix License Server for Windows and License Server VPX Open Redirection Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/89488"
},
{
"title": "Citrix License Server for Windows and License Server VPX Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=67511"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-01545"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002122"
},
{
"db": "CNNVD",
"id": "CNNVD-201702-207"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-601",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-002122"
},
{
"db": "NVD",
"id": "CVE-2017-5571"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "http://www.securityfocus.com/bid/96028"
},
{
"trust": 1.9,
"url": "https://support.citrix.com/article/ctx219885"
},
{
"trust": 1.0,
"url": "https://www.schneider-electric.com/en/download/document/sevd-2018-137-01/"
},
{
"trust": 1.0,
"url": "https://www.schneider-electric.com/en/download/document/sevd-2018-144-01/"
},
{
"trust": 1.0,
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"trust": 1.0,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-18-144-01"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5571"
},
{
"trust": 0.8,
"url": "https://www.us-cert.gov/ics/advisories/icsa-18-144-01"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-5571"
},
{
"trust": 0.3,
"url": "http://www.citrix.com"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-01545"
},
{
"db": "BID",
"id": "96028"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002122"
},
{
"db": "CNNVD",
"id": "CNNVD-201702-207"
},
{
"db": "NVD",
"id": "CVE-2017-5571"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74"
},
{
"db": "CNVD",
"id": "CNVD-2017-01545"
},
{
"db": "BID",
"id": "96028"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002122"
},
{
"db": "CNNVD",
"id": "CNNVD-201702-207"
},
{
"db": "NVD",
"id": "CVE-2017-5571"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-02-18T00:00:00",
"db": "IVD",
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74"
},
{
"date": "2017-02-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-01545"
},
{
"date": "2017-02-06T00:00:00",
"db": "BID",
"id": "96028"
},
{
"date": "2017-03-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-002122"
},
{
"date": "2017-02-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201702-207"
},
{
"date": "2017-03-03T15:59:00.883000",
"db": "NVD",
"id": "CVE-2017-5571"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-02-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-01545"
},
{
"date": "2017-03-07T01:01:00",
"db": "BID",
"id": "96028"
},
{
"date": "2019-07-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-002122"
},
{
"date": "2017-03-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201702-207"
},
{
"date": "2024-11-21T03:27:54.400000",
"db": "NVD",
"id": "CVE-2017-5571"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201702-207"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Citrix License Server for Windows and License Server VPX Open redirection vulnerability",
"sources": [
{
"db": "IVD",
"id": "9ff100a5-a25a-47cc-a9f4-725b8ff0fb74"
},
{
"db": "CNVD",
"id": "CNVD-2017-01545"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201702-207"
}
],
"trust": 0.6
}
}
icsa-18-144-01
Vulnerability from csaf_cisa
Published
2018-05-24 00:00
Modified
2018-05-24 00:00
Summary
Schneider Electric Floating License Manager
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of these vulnerabilities could cause a denial of service, allow arbitrary execution of code with system level privileges, or send users to arbitrary websites.
Critical infrastructure sectors
Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems
Countries/areas deployed
Worldwide
Company headquarters location
France
Recommended Practices
NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
Recommended Practices
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Exploitability
No known public exploits specifically target these vulnerabilities.
{
"document": {
"acknowledgments": [
{
"organization": "Schneider Electric",
"summary": "reporting these vulnerabilities to NCCIC"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities could cause a denial of service, allow arbitrary execution of code with system level privileges, or send users to arbitrary websites.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "France",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-18-144-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsa-18-144-01.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-18-144-01 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-144-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-144-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
"title": "Schneider Electric Floating License Manager",
"tracking": {
"current_release_date": "2018-05-24T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-18-144-01",
"initial_release_date": "2018-05-24T00:00:00.000000Z",
"revision_history": [
{
"date": "2018-05-24T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-18-144-01 Schneider Electric Floating License Manager"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= 3.0",
"product": {
"name": "EcoStruxure Modicon Builder: V3.0 and prior",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "EcoStruxure Modicon Builder"
},
{
"branches": [
{
"category": "product_version",
"name": "8.2 (Standard DC HC Editions)",
"product": {
"name": "EcoStruxure Power Monitoring Expert: 8.2 (Standard DC HC Editions)",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "EcoStruxure Power Monitoring Expert"
},
{
"branches": [
{
"category": "product_version",
"name": "7.30 | 7.40",
"product": {
"name": "SCADA Expert Vijeo Citect / CitectSCADA: Version 7.30 7.40",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "SCADA Expert Vijeo Citect / CitectSCADA"
},
{
"branches": [
{
"category": "product_version",
"name": "1.x (formerly Power Manager)",
"product": {
"name": "Energy Expert: 1.x (formerly Power Manager)",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "Energy Expert"
},
{
"branches": [
{
"category": "product_version",
"name": "8.x (formerly PowerSCADA Expert) (Only with Advanced Reports and Dashboards Module)",
"product": {
"name": "EcoStruxure Power SCADA Operations: 8.x (formerly PowerSCADA Expert) (Only with Advanced Reports and Dashboards Module)",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "EcoStruxure Power SCADA Operations"
},
{
"branches": [
{
"category": "product_version",
"name": "7.2.x",
"product": {
"name": "StruxureWare Power Monitoring Expert: 7.2.x",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "StruxureWare Power Monitoring Expert"
},
{
"branches": [
{
"category": "product_version",
"name": "4.40 | 4.50",
"product": {
"name": "Vijeo Historian/CitectHistorian: Version 4.40 4.50",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "Vijeo Historian/CitectHistorian"
},
{
"branches": [
{
"category": "product_version",
"name": "8.1 (Standard DC HC Editions)",
"product": {
"name": "StruxureWare Power Monitoring Expert: 8.1 (Standard DC HC Editions)",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "StruxureWare Power Monitoring Expert"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=8.1 (Standard DC HC Editions)",
"product": {
"name": "PlantStruxure PES: V4.3 SP1 and prior",
"product_id": "CSAFPID-0009"
}
}
],
"category": "product_name",
"name": "PlantStruxure PES"
},
{
"branches": [
{
"category": "product_version",
"name": "8.0 (Standard DC HC Buildings Editions)",
"product": {
"name": "StruxureWare Power Monitoring Expert: 8.0 (Standard DC HC Buildings Editions)",
"product_id": "CSAFPID-00010"
}
}
],
"category": "product_name",
"name": "StruxureWare Power Monitoring Expert"
},
{
"branches": [
{
"category": "product_version",
"name": "2015 | 2016",
"product": {
"name": "CitectSCADA: Version 2015 2016",
"product_id": "CSAFPID-00011"
}
}
],
"category": "product_name",
"name": "CitectSCADA"
},
{
"branches": [
{
"category": "product_version",
"name": "2016",
"product": {
"name": "CitectHistorian: Version 2016",
"product_id": "CSAFPID-00012"
}
}
],
"category": "product_name",
"name": "CitectHistorian"
}
],
"category": "vendor",
"name": "Schneider Electric Software, LLC"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-2177",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "OpenSSL incorrectly uses pointer arithmetic for heap-buffer boundary checks, which may allow denial of service attacks or other unspecified behavior.CVE-2016-2177 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2177"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Schneider Electric recommends that users of affected Citect and PlantStruxure products download and install the new version of the software",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/documents/downloads/Floating_License_Manager_v2.1.0.0.zip"
},
{
"category": "mitigation",
"details": "Users using EcoStruxure Modicon Builder V3.0 are recommended to download and use the new version (V3.1)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://partner.schneider-electric.com/partners/Menu/MyPartnership"
},
{
"category": "mitigation",
"details": "StructureWare 7.2.x users should upgrade to Version 7.2.2 and apply the floating licensing manager (FLM) patch",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/n2fh1ym594pqvl87kf0zjsigamuryrje"
},
{
"category": "mitigation",
"details": "EcoStruxure/StruxureWare Power Monitoring Expert and Power SCADA Operations users need to upgrade to Version 8.2. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/kkdikodcksjj1dznqy68ko0j28wct7vb"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-046-01/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
}
]
},
{
"cve": "CVE-2016-10395",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "summary",
"text": "This vulnerability can be exploited to cause an out-of-bounds memory read access, which may allow remote code execution with system privileges.CVE-2016-10395 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10395"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Schneider Electric recommends that users of affected Citect and PlantStruxure products download and install the new version of the software",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/documents/downloads/Floating_License_Manager_v2.1.0.0.zip"
},
{
"category": "mitigation",
"details": "Users using EcoStruxure Modicon Builder V3.0 are recommended to download and use the new version (V3.1)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://partner.schneider-electric.com/partners/Menu/MyPartnership"
},
{
"category": "mitigation",
"details": "StructureWare 7.2.x users should upgrade to Version 7.2.2 and apply the floating licensing manager (FLM) patch",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/n2fh1ym594pqvl87kf0zjsigamuryrje"
},
{
"category": "mitigation",
"details": "EcoStruxure/StruxureWare Power Monitoring Expert and Power SCADA Operations users need to upgrade to Version 8.2. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/kkdikodcksjj1dznqy68ko0j28wct7vb"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-046-01/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
}
]
},
{
"cve": "CVE-2017-5571",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "summary",
"text": "An open redirect vulnerability has been identified, which may allow remote attackers to redirect users to arbitrary websites for phishing attacks.CVE-2017-5571 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5571"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Schneider Electric recommends that users of affected Citect and PlantStruxure products download and install the new version of the software",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/documents/downloads/Floating_License_Manager_v2.1.0.0.zip"
},
{
"category": "mitigation",
"details": "Users using EcoStruxure Modicon Builder V3.0 are recommended to download and use the new version (V3.1)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://partner.schneider-electric.com/partners/Menu/MyPartnership"
},
{
"category": "mitigation",
"details": "StructureWare 7.2.x users should upgrade to Version 7.2.2 and apply the floating licensing manager (FLM) patch",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/n2fh1ym594pqvl87kf0zjsigamuryrje"
},
{
"category": "mitigation",
"details": "EcoStruxure/StruxureWare Power Monitoring Expert and Power SCADA Operations users need to upgrade to Version 8.2. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/kkdikodcksjj1dznqy68ko0j28wct7vb"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-046-01/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
}
]
}
]
}
ICSA-18-144-01
Vulnerability from csaf_cisa
Published
2018-05-24 00:00
Modified
2018-05-24 00:00
Summary
Schneider Electric Floating License Manager
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of these vulnerabilities could cause a denial of service, allow arbitrary execution of code with system level privileges, or send users to arbitrary websites.
Critical infrastructure sectors
Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems
Countries/areas deployed
Worldwide
Company headquarters location
France
Recommended Practices
NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
Recommended Practices
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Exploitability
No known public exploits specifically target these vulnerabilities.
{
"document": {
"acknowledgments": [
{
"organization": "Schneider Electric",
"summary": "reporting these vulnerabilities to NCCIC"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities could cause a denial of service, allow arbitrary execution of code with system level privileges, or send users to arbitrary websites.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "France",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-18-144-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsa-18-144-01.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-18-144-01 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-144-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-144-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
"title": "Schneider Electric Floating License Manager",
"tracking": {
"current_release_date": "2018-05-24T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-18-144-01",
"initial_release_date": "2018-05-24T00:00:00.000000Z",
"revision_history": [
{
"date": "2018-05-24T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-18-144-01 Schneider Electric Floating License Manager"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= 3.0",
"product": {
"name": "EcoStruxure Modicon Builder: V3.0 and prior",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "EcoStruxure Modicon Builder"
},
{
"branches": [
{
"category": "product_version",
"name": "8.2 (Standard DC HC Editions)",
"product": {
"name": "EcoStruxure Power Monitoring Expert: 8.2 (Standard DC HC Editions)",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "EcoStruxure Power Monitoring Expert"
},
{
"branches": [
{
"category": "product_version",
"name": "7.30 | 7.40",
"product": {
"name": "SCADA Expert Vijeo Citect / CitectSCADA: Version 7.30 7.40",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "SCADA Expert Vijeo Citect / CitectSCADA"
},
{
"branches": [
{
"category": "product_version",
"name": "1.x (formerly Power Manager)",
"product": {
"name": "Energy Expert: 1.x (formerly Power Manager)",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "Energy Expert"
},
{
"branches": [
{
"category": "product_version",
"name": "8.x (formerly PowerSCADA Expert) (Only with Advanced Reports and Dashboards Module)",
"product": {
"name": "EcoStruxure Power SCADA Operations: 8.x (formerly PowerSCADA Expert) (Only with Advanced Reports and Dashboards Module)",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "EcoStruxure Power SCADA Operations"
},
{
"branches": [
{
"category": "product_version",
"name": "7.2.x",
"product": {
"name": "StruxureWare Power Monitoring Expert: 7.2.x",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "StruxureWare Power Monitoring Expert"
},
{
"branches": [
{
"category": "product_version",
"name": "4.40 | 4.50",
"product": {
"name": "Vijeo Historian/CitectHistorian: Version 4.40 4.50",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "Vijeo Historian/CitectHistorian"
},
{
"branches": [
{
"category": "product_version",
"name": "8.1 (Standard DC HC Editions)",
"product": {
"name": "StruxureWare Power Monitoring Expert: 8.1 (Standard DC HC Editions)",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "StruxureWare Power Monitoring Expert"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=8.1 (Standard DC HC Editions)",
"product": {
"name": "PlantStruxure PES: V4.3 SP1 and prior",
"product_id": "CSAFPID-0009"
}
}
],
"category": "product_name",
"name": "PlantStruxure PES"
},
{
"branches": [
{
"category": "product_version",
"name": "8.0 (Standard DC HC Buildings Editions)",
"product": {
"name": "StruxureWare Power Monitoring Expert: 8.0 (Standard DC HC Buildings Editions)",
"product_id": "CSAFPID-00010"
}
}
],
"category": "product_name",
"name": "StruxureWare Power Monitoring Expert"
},
{
"branches": [
{
"category": "product_version",
"name": "2015 | 2016",
"product": {
"name": "CitectSCADA: Version 2015 2016",
"product_id": "CSAFPID-00011"
}
}
],
"category": "product_name",
"name": "CitectSCADA"
},
{
"branches": [
{
"category": "product_version",
"name": "2016",
"product": {
"name": "CitectHistorian: Version 2016",
"product_id": "CSAFPID-00012"
}
}
],
"category": "product_name",
"name": "CitectHistorian"
}
],
"category": "vendor",
"name": "Schneider Electric Software, LLC"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-2177",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "OpenSSL incorrectly uses pointer arithmetic for heap-buffer boundary checks, which may allow denial of service attacks or other unspecified behavior.CVE-2016-2177 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2177"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Schneider Electric recommends that users of affected Citect and PlantStruxure products download and install the new version of the software",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/documents/downloads/Floating_License_Manager_v2.1.0.0.zip"
},
{
"category": "mitigation",
"details": "Users using EcoStruxure Modicon Builder V3.0 are recommended to download and use the new version (V3.1)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://partner.schneider-electric.com/partners/Menu/MyPartnership"
},
{
"category": "mitigation",
"details": "StructureWare 7.2.x users should upgrade to Version 7.2.2 and apply the floating licensing manager (FLM) patch",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/n2fh1ym594pqvl87kf0zjsigamuryrje"
},
{
"category": "mitigation",
"details": "EcoStruxure/StruxureWare Power Monitoring Expert and Power SCADA Operations users need to upgrade to Version 8.2. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/kkdikodcksjj1dznqy68ko0j28wct7vb"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-046-01/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
}
]
},
{
"cve": "CVE-2016-10395",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "summary",
"text": "This vulnerability can be exploited to cause an out-of-bounds memory read access, which may allow remote code execution with system privileges.CVE-2016-10395 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10395"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Schneider Electric recommends that users of affected Citect and PlantStruxure products download and install the new version of the software",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/documents/downloads/Floating_License_Manager_v2.1.0.0.zip"
},
{
"category": "mitigation",
"details": "Users using EcoStruxure Modicon Builder V3.0 are recommended to download and use the new version (V3.1)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://partner.schneider-electric.com/partners/Menu/MyPartnership"
},
{
"category": "mitigation",
"details": "StructureWare 7.2.x users should upgrade to Version 7.2.2 and apply the floating licensing manager (FLM) patch",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/n2fh1ym594pqvl87kf0zjsigamuryrje"
},
{
"category": "mitigation",
"details": "EcoStruxure/StruxureWare Power Monitoring Expert and Power SCADA Operations users need to upgrade to Version 8.2. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/kkdikodcksjj1dznqy68ko0j28wct7vb"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-046-01/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
}
]
},
{
"cve": "CVE-2017-5571",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "summary",
"text": "An open redirect vulnerability has been identified, which may allow remote attackers to redirect users to arbitrary websites for phishing attacks.CVE-2017-5571 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5571"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Schneider Electric recommends that users of affected Citect and PlantStruxure products download and install the new version of the software",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/documents/downloads/Floating_License_Manager_v2.1.0.0.zip"
},
{
"category": "mitigation",
"details": "Users using EcoStruxure Modicon Builder V3.0 are recommended to download and use the new version (V3.1)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://partner.schneider-electric.com/partners/Menu/MyPartnership"
},
{
"category": "mitigation",
"details": "StructureWare 7.2.x users should upgrade to Version 7.2.2 and apply the floating licensing manager (FLM) patch",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/n2fh1ym594pqvl87kf0zjsigamuryrje"
},
{
"category": "mitigation",
"details": "EcoStruxure/StruxureWare Power Monitoring Expert and Power SCADA Operations users need to upgrade to Version 8.2. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://schneider-electric.box.com/s/kkdikodcksjj1dznqy68ko0j28wct7vb"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"category": "mitigation",
"details": "Schneider Electric has also released security notifications which contain further details and upgrade",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-046-01/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012"
]
}
]
}
]
}
ghsa-5mwv-vrx3-5pvv
Vulnerability from github
Published
2022-05-14 03:20
Modified
2025-04-20 03:33
Severity ?
VLAI Severity ?
Details
Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2017-5571"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-03T15:59:00Z",
"severity": "MODERATE"
},
"details": "Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.",
"id": "GHSA-5mwv-vrx3-5pvv",
"modified": "2025-04-20T03:33:35Z",
"published": "2022-05-14T03:20:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5571"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01"
},
{
"type": "WEB",
"url": "https://support.citrix.com/article/CTX219885"
},
{
"type": "WEB",
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
fkie_cve-2017-5571
Vulnerability from fkie_nvd
Published
2017-03-03 15:59
Modified
2025-04-20 01:37
Severity ?
Summary
Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/96028 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01 | ||
| cve@mitre.org | https://support.citrix.com/article/CTX219885 | Third Party Advisory | |
| cve@mitre.org | https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager | ||
| cve@mitre.org | https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/ | ||
| cve@mitre.org | https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/96028 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://support.citrix.com/article/CTX219885 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| flexerasoftware | flexnet_publisher | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:flexerasoftware:flexnet_publisher:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27B21AC4-B047-470E-BE67-A503B6E935A9",
"versionEndIncluding": "11.14.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de redirecci\u00f3n abierta en el componente lmadmin en Flexera FlexNet Publisher (tambi\u00e9n conocido como Flex License Manager) 11.14.1 y versiones anteriores, como se utiliza en Citrix License Server para Windows y el Citrix License Server VPX, permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2017-5571",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-03T15:59:00.883",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96028"
},
{
"source": "cve@mitre.org",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://support.citrix.com/article/CTX219885"
},
{
"source": "cve@mitre.org",
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"source": "cve@mitre.org",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"source": "cve@mitre.org",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96028"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://support.citrix.com/article/CTX219885"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CERTFR-2018-AVI-254
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans SCADA les produits Schneider Electric. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Schneider Electric | N/A | SoMachine Basic toutes versions antérieures à 1.6 SP1 | ||
| Schneider Electric | N/A | EcoStructure Modicon Builder versions antérieures à V3.1 | ||
| Schneider Electric | N/A | PlantStruxure PES version 4.3 SP1et antérieures |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SoMachine Basic toutes versions ant\u00e9rieures \u00e0 1.6 SP1",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStructure Modicon Builder versions ant\u00e9rieures \u00e0 V3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PlantStruxure PES version 4.3 SP1et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-7783",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-7783"
},
{
"name": "CVE-2016-2177",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2177"
},
{
"name": "CVE-2016-10395",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10395"
},
{
"name": "CVE-2017-5571",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5571"
}
],
"initial_release_date": "2018-05-25T00:00:00",
"last_revision_date": "2018-05-28T00:00:00",
"links": [],
"reference": "CERTFR-2018-AVI-254",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-05-25T00:00:00.000000"
},
{
"description": "Ajout du bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2018-144-01 du 24 mai 2018",
"revision_date": "2018-05-28T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans SCADA les produits\nSchneider Electric. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans SCADA les produits Schneider Electric",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2018-144-01 du 24 mai 2018",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2018-142-01 du 22 mai 2018",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-142-01/"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2018-137-01 du 17 mai 2018",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
}
]
}
CERTFR-2017-AVI-041
Vulnerability from certfr_avis
De multiples vulnérabilités ont été corrigées dans les produits Citrix. Elles permettent à un attaquant de provoquer une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Citrix | N/A | Citrix NetScaler ADC et NetScaler Gateway versions 11.1 antérieures au Build 51.21 | ||
| Citrix | N/A | Citrix License Server pour Windows et License Server VPX versions 11.14.0.1 et antérieures | ||
| Citrix | N/A | Citrix NetScaler ADC et NetScaler Gateway versions 10.5 antérieures au Build 65.11 | ||
| Citrix | N/A | Citrix NetScaler ADC et NetScaler Gateway versions 11.0 antérieures au Build 69.12/69.123 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Citrix NetScaler ADC et NetScaler Gateway versions 11.1 ant\u00e9rieures au Build 51.21",
"product": {
"name": "N/A",
"vendor": {
"name": "Citrix",
"scada": false
}
}
},
{
"description": "Citrix License Server pour Windows et License Server VPX versions 11.14.0.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Citrix",
"scada": false
}
}
},
{
"description": "Citrix NetScaler ADC et NetScaler Gateway versions 10.5 ant\u00e9rieures au Build 65.11",
"product": {
"name": "N/A",
"vendor": {
"name": "Citrix",
"scada": false
}
}
},
{
"description": "Citrix NetScaler ADC et NetScaler Gateway versions 11.0 ant\u00e9rieures au Build 69.12/69.123",
"product": {
"name": "N/A",
"vendor": {
"name": "Citrix",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2017-5571",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5571"
},
{
"name": "CVE-2016-0270",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0270"
}
],
"initial_release_date": "2017-02-07T00:00:00",
"last_revision_date": "2017-02-07T00:00:00",
"links": [],
"reference": "CERTFR-2017-AVI-041",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2017-02-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Citrix\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Citrix",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Citrix CTX219885 du 03 f\u00e9vrier 2017",
"url": "https://support.citrix.com/article/CTX219885"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Citrix CTX220329 du 06 f\u00e9vrier 2017",
"url": "https://support.citrix.com/article/CTX220329"
}
]
}
gsd-2017-5571
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2017-5571",
"description": "Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.",
"id": "GSD-2017-5571"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2017-5571"
],
"details": "Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.",
"id": "GSD-2017-5571",
"modified": "2023-12-13T01:21:13.595862Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5571",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager",
"refsource": "CONFIRM",
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"name": "96028",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96028"
},
{
"name": "https://support.citrix.com/article/CTX219885",
"refsource": "CONFIRM",
"url": "https://support.citrix.com/article/CTX219885"
},
{
"name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/",
"refsource": "CONFIRM",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/",
"refsource": "CONFIRM",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:flexerasoftware:flexnet_publisher:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "11.14.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5571"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.citrix.com/article/CTX219885",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://support.citrix.com/article/CTX219885"
},
{
"name": "96028",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96028"
},
{
"name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/",
"refsource": "CONFIRM",
"tags": [],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/"
},
{
"name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/",
"refsource": "CONFIRM",
"tags": [],
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/"
},
{
"name": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager",
"refsource": "CONFIRM",
"tags": [],
"url": "https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01",
"refsource": "MISC",
"tags": [],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2018-05-30T01:29Z",
"publishedDate": "2017-03-03T15:59Z"
}
}
}
cnvd-2017-01545
Vulnerability from cnvd
Title
Citrix License Server for Windows and License Server VPX开放重定向漏洞
Description
Citrix License Server for Windows和License Server VPX都是美国思杰系统(Citrix Systems)公司的产品。前者是一款基于Windows系统的认证服务器,后者是一款认证服务器设备。
Citrix License Server for Windows and License Server VPX存在开放重定向漏洞。攻击者利用该漏洞执行特制的URI并诱导用户点击。当用户点击该链接时会被重定向到攻击者控制的网站,造成钓鱼攻击。
Severity
中
VLAI Severity ?
Patch Name
Citrix License Server for Windows and License Server VPX开放重定向漏洞的补丁
Patch Description
Citrix License Server for Windows和License Server VPX都是美国思杰系统(Citrix Systems)公司的产品。前者是一款基于Windows系统的认证服务器,后者是一款认证服务器设备。
Citrix License Server for Windows and License Server VPX存在开放重定向漏洞。攻击者利用该漏洞执行特制的URI并诱导用户点击。当用户点击该链接时会被重定向到攻击者控制的网站,造成钓鱼攻击。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接: https://support.citrix.com/article/CTX219885
Reference
http://www.securityfocus.com/bid/96028
Impacted products
| Name | ['Citrix License Server for Windows <=11.14.0.1', 'Citrix License Server VPX <=11.14.0.1'] |
|---|
{
"bids": {
"bid": {
"bidNumber": "96028"
}
},
"cves": {
"cve": {
"cveNumber": "CVE-2017-5571",
"cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5571"
}
},
"description": "Citrix License Server for Windows\u548cLicense Server VPX\u90fd\u662f\u7f8e\u56fd\u601d\u6770\u7cfb\u7edf\uff08Citrix Systems\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002\u524d\u8005\u662f\u4e00\u6b3e\u57fa\u4e8eWindows\u7cfb\u7edf\u7684\u8ba4\u8bc1\u670d\u52a1\u5668\uff0c\u540e\u8005\u662f\u4e00\u6b3e\u8ba4\u8bc1\u670d\u52a1\u5668\u8bbe\u5907\u3002\r\n\r\nCitrix License Server for Windows and License Server VPX\u5b58\u5728\u5f00\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u7279\u5236\u7684URI\u5e76\u8bf1\u5bfc\u7528\u6237\u70b9\u51fb\u3002\u5f53\u7528\u6237\u70b9\u51fb\u8be5\u94fe\u63a5\u65f6\u4f1a\u88ab\u91cd\u5b9a\u5411\u5230\u653b\u51fb\u8005\u63a7\u5236\u7684\u7f51\u7ad9\uff0c\u9020\u6210\u9493\u9c7c\u653b\u51fb\u3002",
"discovererName": "Jan Rude",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://support.citrix.com/article/CTX219885",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2017-01545",
"openTime": "2017-02-20",
"patchDescription": "Citrix License Server for Windows\u548cLicense Server VPX\u90fd\u662f\u7f8e\u56fd\u601d\u6770\u7cfb\u7edf\uff08Citrix Systems\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002\u524d\u8005\u662f\u4e00\u6b3e\u57fa\u4e8eWindows\u7cfb\u7edf\u7684\u8ba4\u8bc1\u670d\u52a1\u5668\uff0c\u540e\u8005\u662f\u4e00\u6b3e\u8ba4\u8bc1\u670d\u52a1\u5668\u8bbe\u5907\u3002\r\n\r\nCitrix License Server for Windows and License Server VPX\u5b58\u5728\u5f00\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u7279\u5236\u7684URI\u5e76\u8bf1\u5bfc\u7528\u6237\u70b9\u51fb\u3002\u5f53\u7528\u6237\u70b9\u51fb\u8be5\u94fe\u63a5\u65f6\u4f1a\u88ab\u91cd\u5b9a\u5411\u5230\u653b\u51fb\u8005\u63a7\u5236\u7684\u7f51\u7ad9\uff0c\u9020\u6210\u9493\u9c7c\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Citrix License Server for Windows and License Server VPX\u5f00\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Citrix License Server for Windows \u003c=11.14.0.1",
"Citrix License Server VPX \u003c=11.14.0.1"
]
},
"referenceLink": "http://www.securityfocus.com/bid/96028",
"serverity": "\u4e2d",
"submitTime": "2017-02-10",
"title": "Citrix License Server for Windows and License Server VPX\u5f00\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…