cvelistv5 - cve-2024-6528

CVE-2024-6528 (GCVE-0-2024-6528)

Vulnerability from cvelistv5

Published

2024-07-11 09:03

Modified

2024-08-01 21:41

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Summary

References

URL

Tags

	cybersecurity@se.com	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-191-04.pdf	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-191-04.pdf	Vendor Advisory

Impacted products

Vendor

Product

Version

Schneider Electric

Modicon Controllers M241 / M251

Version: All versions

	Schneider Electric	Modicon Controllers M258 / LMC058	Version: All versions
	Schneider Electric	Modicon Controllers M262	Version: All Versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6528",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-29T20:04:30.600996Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-29T20:04:38.247Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:41:03.525Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Modicon Controllers M241 / M251",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Modicon Controllers M258 / LMC058",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Modicon Controllers M262",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "All Versions"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\nCWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site\nScripting\u0027) vulnerability exists that could cause a vulnerability leading to a cross-site scripting\ncondition where attackers can have a victim\u2019s browser run arbitrary JavaScript when they visit a\npage containing the injected payload.\n\n"
            }
          ],
          "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site\nScripting\u0027) vulnerability exists that could cause a vulnerability leading to a cross-site scripting\ncondition where attackers can have a victim\u2019s browser run arbitrary JavaScript when they visit a\npage containing the injected payload."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-11T09:03:27.074Z",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.pdf"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2024-6528",
    "datePublished": "2024-07-11T09:03:27.074Z",
    "dateReserved": "2024-07-05T09:35:52.875Z",
    "dateUpdated": "2024-08-01T21:41:03.525Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-6528\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2024-07-11T09:15:04.867\",\"lastModified\":\"2024-11-21T09:49:48.730\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site\\nScripting\u0027) vulnerability exists that could cause a vulnerability leading to a cross-site scripting\\ncondition where attackers can have a victim\u2019s browser run arbitrary JavaScript when they visit a\\npage containing the injected payload.\"},{\"lang\":\"es\",\"value\":\"CWE-79: Existe una vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\\\"Cross-site Scripting\\\") que podr\u00eda causar una vulnerabilidad que conduzca a una condici\u00f3n de cross-site scripting donde los atacantes pueden hacer que el navegador de la v\u00edctima ejecute JavaScript arbitrario cuando visitan una p\u00e1gina que contiene el payload inyectado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:schneider-electric:modicon_m241_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"363D8E9E-0169-472F-A891-EF2E7D329EA2\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:modicon_m241:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D8FD9D9-F59F-470E-9F7F-CDDD80B0633C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:schneider-electric:modicon_m251_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FB11232E-0DC2-436F-985A-94BCE6A4F6D4\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:modicon_m251:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8E03A25-B0B6-4BA2-80BC-52C16A6837E0\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:schneider-electric:modicon_m258_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"686716B7-1C82-483C-A62F-A33F7C5BF32F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:modicon_m258:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FFBF6514-3E32-4C8E-81BA-D6464824351F\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:schneider-electric:modicon_m262_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"95E522F5-019E-4948-86D3-B436EEFBAA67\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:modicon_m262:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F2C151DF-D716-4F2F-8129-9D1B88430A72\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:schneider-electric:modicon_lmc058_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B05FDCA-D7FB-4931-B058-377B20E1BB1A\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:modicon_lmc058:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DFCD3D7-B85B-4C9E-B80C-B83B017183AA\"}]}]}],\"references\":[{\"url\":\"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.pdf\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.pdf\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:41:03.525Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-6528\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-29T20:04:30.600996Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-29T20:04:34.800Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Schneider Electric\", \"product\": \"Modicon Controllers M241 / M251\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Schneider Electric\", \"product\": \"Modicon Controllers M258 / LMC058\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Schneider Electric\", \"product\": \"Modicon Controllers M262\", \"versions\": [{\"status\": \"affected\", \"version\": \"All Versions\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.pdf\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site\\nScripting\u0027) vulnerability exists that could cause a vulnerability leading to a cross-site scripting\\ncondition where attackers can have a victim\\u2019s browser run arbitrary JavaScript when they visit a\\npage containing the injected payload.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\nCWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site\\nScripting\u0027) vulnerability exists that could cause a vulnerability leading to a cross-site scripting\\ncondition where attackers can have a victim\\u2019s browser run arbitrary JavaScript when they visit a\\npage containing the injected payload.\\n\\n\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"076d1eb6-cfab-4401-b34d-6dfc2a413bdb\", \"shortName\": \"schneider\", \"dateUpdated\": \"2024-07-11T09:03:27.074Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-6528\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T21:41:03.525Z\", \"dateReserved\": \"2024-07-05T09:35:52.875Z\", \"assignerOrgId\": \"076d1eb6-cfab-4401-b34d-6dfc2a413bdb\", \"datePublished\": \"2024-07-11T09:03:27.074Z\", \"assignerShortName\": \"schneider\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-v53r-9457-4g25

Vulnerability from github

Published

2024-07-11 09:30

Modified

2024-07-12 18:31

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-6528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-11T09:15:04Z",
    "severity": "MODERATE"
  },
  "details": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site\nScripting\u0027) vulnerability exists that could cause a vulnerability leading to a cross-site scripting\ncondition where attackers can have a victim\u2019s browser run arbitrary JavaScript when they visit a\npage containing the injected payload.",
  "id": "GHSA-v53r-9457-4g25",
  "modified": "2024-07-12T18:31:48Z",
  "published": "2024-07-11T09:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6528"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

icsa-24-354-07

Vulnerability from csaf_cisa

Published

2024-12-19 07:00

Modified

2025-10-21 06:00

Summary

Schneider Electric Modicon Controllers (Update A)

Notes

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker to cause a victim's browser to run arbitrary JavaScript when visiting a page containing injected payload.

Critical infrastructure sectors

Commercial Facilities, Critical Manufacturing, and Energy

Countries/areas deployed

Worldwide

Company headquarters location

France

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Recommended Practices

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Recommended Practices

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

Recommended Practices

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Recommended Practices

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Recommended Practices

Do not click web links or open attachments in unsolicited email messages.

Recommended Practices

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.

Recommended Practices

Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Recommended Practices

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "organization": "Schneider Electric CPCERT",
        "summary": "reporting this vulnerability to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy \u0026 Use policy (https://www.cisa.gov/privacy-policy).",
        "title": "Legal Notice and Terms of Use"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker to cause a victim\u0027s browser to run arbitrary JavaScript when visiting a page containing injected payload. ",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Commercial Facilities, Critical Manufacturing, and Energy",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "France",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Locate control system networks and remote devices behind firewalls and isolating them from business networks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Do not click web links or open attachments in unsolicited email messages.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-24-354-07 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2024/icsa-24-354-07.json"
      },
      {
        "category": "self",
        "summary": "ICSA Advisory ICSA-24-354-07 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-07"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/news/targeted-cyber-intrusion-detection-and-mitigation-strategies-update-b"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks"
      }
    ],
    "title": "Schneider Electric Modicon Controllers (Update A)",
    "tracking": {
      "current_release_date": "2025-10-21T06:00:00.000000Z",
      "generator": {
        "date": "2025-10-21T17:56:17.330168Z",
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-24-354-07",
      "initial_release_date": "2024-12-19T07:00:00.000000Z",
      "revision_history": [
        {
          "date": "2024-12-19T07:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Initial Publication"
        },
        {
          "date": "2025-10-21T06:00:00.000000Z",
          "legacy_version": "Update A",
          "number": "2",
          "summary": "Update A - Modified Affect Product version for M258 / LMC058, Added mitigations for M258 / LMC058"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.0.4.19",
                "product": {
                  "name": "Schneider Electric Schneider Electric Modicon Controllers M258 / LMC058: \u003c5.0.4.19",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Schneider Electric Modicon Controllers M258 / LMC058"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.2.8.26",
                "product": {
                  "name": "Schneider Electric Schneider Electric Modicon Controllers M262: \u003c5.2.8.26",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Schneider Electric Modicon Controllers M262"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.2.11.24",
                "product": {
                  "name": "Schneider Electric Schneider Electric Modicon Controllers M251: \u003c5.2.11.24",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Schneider Electric Modicon Controllers M251"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.2.11.24",
                "product": {
                  "name": "Schneider Electric Schneider Electric Modicon Controllers M241: \u003c5.2.11.24",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "Schneider Electric Modicon Controllers M241"
          }
        ],
        "category": "vendor",
        "name": "Schneider Electric"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-6528",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A Cross-site Scripting \u202fvulnerability exists \u202fwhere an attacker could cause a victim\u0027s browser run arbitrary JavaScript when they visit a page containing the injected payload.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-6528"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        },
        {
          "category": "mitigation",
          "details": "Schneider Electric Modicon Controllers Version prior to v5.2.11.24: Modicon Controller M241 Firmware version 5.2.11.24 delivered with EcoStruxure Machine Expert v2.2.2  includes a fix for this vulnerability and can be updated  through the Schneider Electric Software Update (SESU) application.  https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/  On the engineering workstation, update to v2.2.2 of  EcoStruxure Machine Expert. Update Modicon Controller M241 to the latest Firmware and  perform reboot",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/"
        },
        {
          "category": "mitigation",
          "details": "Schneider Electric Modicon Controllers Version prior to v5.2.11.24: Modicon Controller M251 Firmware version 5.2.11.24  delivered with EcoStruxure Machine Expert v2.2.2  includes a fix for this vulnerability and can be updated  through the Schneider Electric Software Update (SESU) application.  https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/  On the engineering workstation, update to v2.2.2 of  EcoStruxure Machine Expert. Update Modicon Controller M251 to the latest Firmware and  perform reboot",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/"
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric Modicon Controllers M262 Versions prior to v5.2.8.26: Modicon Controller M262 Firmware version 5.2.8.26  delivered with EcoStruxure Machine Expert v2.2.2  includes a fix for this vulnerability and can be updated  through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/  On the engineering workstation, update to v2.2.2 of  EcoStruxure Machine Expert. Update Modicon Controller M262 to the latest Firmware  and perform reboot",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/"
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric Modicon Controllers Version prior to v5.2.11.24, Schneider Electric Modicon Controllers M258 / LMC058 All versions , Schneider Electric Modicon Controllers M262 Versions prior to v5.2.8.26, Schneider Electric Modicon Controllers Version prior to v5.2.11.24: Modicon Controller M262 Firmware version 5.2.8.26 delivered with EcoStruxure Machine Expert v2.2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application.  https://www.se.com/ww/en/product-range/2226-ecostruxure-machineexpert-software/  On the engineering workstation, update to v2.2.2 of EcoStruxure Machine Expert.  By using Controller Assistant from EcoStruxureTM Machine Expert update Modicon Controller M258/LMC058 and perform reboot .",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://www.se.com/ww/en/product-range/2226-ecostruxure-machineexpert-software/"
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric Modicon Controllers Version prior to v5.2.11.24, Schneider Electric Modicon Controllers M258 / LMC058 All versions , Schneider Electric Modicon Controllers M262 Versions prior to v5.2.8.26, Schneider Electric Modicon Controllers Version prior to v5.2.11.24: Modicon Controller M262 Firmware version 5.2.8.26 delivered with EcoStruxure Machine Expert v2.2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application.  https://www.se.com/ww/en/product-range/2226-ecostruxure-machineexpert-software/  On the engineering workstation, update to v2.2.2 of EcoStruxure Machine Expert.  By using Controller Assistant from EcoStruxureTM Machine Expert update Modicon Controller M258/LMC058 and perform reboot .",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/"
        },
        {
          "category": "mitigation",
          "details": "Users should observe appropriate patching methodologies when applying these patches to their systems. We strongly recommend the use of back-ups and evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure. Contact Schneider Electric\u0027s Customer Care Center if you need assistance removing a patch.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        },
        {
          "category": "mitigation",
          "details": "If users choose not to apply the remediation provided above they should immediately apply the following mitigations to reduce the risk of exploit:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        },
        {
          "category": "mitigation",
          "details": "Users should immediately apply the following mitigations to reduce the risk of exploit:  Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure application of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use, when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to port 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required.  The \"Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment\" provide product specific chapters to ensure you are informed of all updates, including details on affected products and remediation plans. Subscribe to Schneider Electric\u0027s security notification service here.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://download.schneider-electric.com/files?\u0026p_enDocType=User+guide\u0026p_File_Name=EIO0000004242.00.pdf\u0026p_Doc_Ref=EIO0000004242"
        },
        {
          "category": "mitigation",
          "details": "For more information, refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-191-04 in PDF and CSAF.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://www.se.com/us/en/download/document/7EN52-0390/"
        },
        {
          "category": "mitigation",
          "details": "For more information, refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-191-04 in PDF and CSAF.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://download.schneider-electric.com/doc/SEVD-2024-191-04/SEVD-2024-191-04.pdf"
        },
        {
          "category": "mitigation",
          "details": "For more information, refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-191-04 in PDF and CSAF.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ]
    }
  ]
}

fkie_cve-2024-6528

Vulnerability from fkie_nvd

Published

2024-07-11 09:15

Modified

2024-11-21 09:49

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	cybersecurity@se.com	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-191-04.pdf	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-191-04.pdf	Vendor Advisory

Impacted products

Vendor	Product	Version
schneider-electric	modicon_m241_firmware	*
schneider-electric	modicon_m241	-
schneider-electric	modicon_m251_firmware	*
schneider-electric	modicon_m251	-
schneider-electric	modicon_m258_firmware	*
schneider-electric	modicon_m258	-
schneider-electric	modicon_m262_firmware	*
schneider-electric	modicon_m262	-
schneider-electric	modicon_lmc058_firmware	*
schneider-electric	modicon_lmc058	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:schneider-electric:modicon_m241_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "363D8E9E-0169-472F-A891-EF2E7D329EA2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:schneider-electric:modicon_m241:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D8FD9D9-F59F-470E-9F7F-CDDD80B0633C",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:schneider-electric:modicon_m251_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FB11232E-0DC2-436F-985A-94BCE6A4F6D4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:schneider-electric:modicon_m251:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8E03A25-B0B6-4BA2-80BC-52C16A6837E0",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:schneider-electric:modicon_m258_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "686716B7-1C82-483C-A62F-A33F7C5BF32F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:schneider-electric:modicon_m258:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FFBF6514-3E32-4C8E-81BA-D6464824351F",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:schneider-electric:modicon_m262_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "95E522F5-019E-4948-86D3-B436EEFBAA67",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:schneider-electric:modicon_m262:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F2C151DF-D716-4F2F-8129-9D1B88430A72",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:schneider-electric:modicon_lmc058_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B05FDCA-D7FB-4931-B058-377B20E1BB1A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:schneider-electric:modicon_lmc058:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "0DFCD3D7-B85B-4C9E-B80C-B83B017183AA",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site\nScripting\u0027) vulnerability exists that could cause a vulnerability leading to a cross-site scripting\ncondition where attackers can have a victim\u2019s browser run arbitrary JavaScript when they visit a\npage containing the injected payload."
    },
    {
      "lang": "es",
      "value": "CWE-79: Existe una vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\"Cross-site Scripting\") que podr\u00eda causar una vulnerabilidad que conduzca a una condici\u00f3n de cross-site scripting donde los atacantes pueden hacer que el navegador de la v\u00edctima ejecute JavaScript arbitrario cuando visitan una p\u00e1gina que contiene el payload inyectado."
    }
  ],
  "id": "CVE-2024-6528",
  "lastModified": "2024-11-21T09:49:48.730",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "cybersecurity@se.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-07-11T09:15:04.867",
  "references": [
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.pdf"
    }
  ],
  "sourceIdentifier": "cybersecurity@se.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "cybersecurity@se.com",
      "type": "Primary"
    }
  ]
}

var-202407-0346

Vulnerability from variot

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a vulnerability leading to a cross-site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload. Modicon M241 firmware, Modicon M251 firmware, Modicon M258 firmware etc. Schneider Electric A cross-site scripting vulnerability exists in the product.Information may be obtained and information may be tampered with. Schneider Electric (China) Co., Ltd. is a global electrical company and an expert in global energy efficiency management and automation.

Schneider Electric (China) Co., Ltd. TM241CE24T_U has an XSS vulnerability, which can be exploited by attackers to obtain sensitive information such as user cookies

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202407-0346",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "modicon m251",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "schneider electric",
        "version": "*"
      },
      {
        "model": "modicon m258",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "schneider electric",
        "version": "*"
      },
      {
        "model": "modicon m241",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "schneider electric",
        "version": "*"
      },
      {
        "model": "modicon m262",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "schneider electric",
        "version": "*"
      },
      {
        "model": "modicon lmc058",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "schneider electric",
        "version": "*"
      },
      {
        "model": "modicon m251",
        "scope": null,
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "modicon m241",
        "scope": null,
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "modicon m262",
        "scope": null,
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "modicon m258",
        "scope": null,
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "modicon lmc058",
        "scope": null,
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "tm241ce24t u",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "schneider electric",
        "version": "1.1.0.0"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2024-32452"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2024-004305"
      },
      {
        "db": "NVD",
        "id": "CVE-2024-6528"
      }
    ]
  },
  "cve": "CVE-2024-6528",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.9,
            "id": "CNVD-2024-32452",
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "severity": "LOW",
            "trust": 0.6,
            "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.8,
            "id": "CVE-2024-6528",
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "cybersecurity@se.com",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.3,
            "id": "CVE-2024-6528",
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 6.1,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "CVE-2024-6528",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2024-6528",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "cybersecurity@se.com",
            "id": "CVE-2024-6528",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2024-6528",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2024-32452",
            "trust": 0.6,
            "value": "LOW"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2024-32452"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2024-004305"
      },
      {
        "db": "NVD",
        "id": "CVE-2024-6528"
      },
      {
        "db": "NVD",
        "id": "CVE-2024-6528"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site\nScripting\u0027) vulnerability exists that could cause a vulnerability leading to a cross-site scripting\ncondition where attackers can have a victim\u2019s browser run arbitrary JavaScript when they visit a\npage containing the injected payload. Modicon M241 firmware, Modicon M251 firmware, Modicon M258 firmware etc. Schneider Electric A cross-site scripting vulnerability exists in the product.Information may be obtained and information may be tampered with. Schneider Electric (China) Co., Ltd. is a global electrical company and an expert in global energy efficiency management and automation. \n\nSchneider Electric (China) Co., Ltd. TM241CE24T_U has an XSS vulnerability, which can be exploited by attackers to obtain sensitive information such as user cookies",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2024-6528"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2024-004305"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2024-32452"
      }
    ],
    "trust": 2.16
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2024-6528",
        "trust": 3.2
      },
      {
        "db": "SCHNEIDER",
        "id": "SEVD-2024-191-04",
        "trust": 1.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2024-004305",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2024-32452",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2024-32452"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2024-004305"
      },
      {
        "db": "NVD",
        "id": "CVE-2024-6528"
      }
    ]
  },
  "id": "VAR-202407-0346",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2024-32452"
      }
    ],
    "trust": 0.06
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2024-32452"
      }
    ]
  },
  "last_update_date": "2024-08-22T03:44:05.018000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Patch for Schneider Electric (China) Co., Ltd. TM241CE24T_U has an XSS vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/583351"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2024-32452"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.0
      },
      {
        "problemtype": "Cross-site scripting (CWE-79) [ others ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2024-004305"
      },
      {
        "db": "NVD",
        "id": "CVE-2024-6528"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.8,
        "url": "https://download.schneider-electric.com/files?p_doc_ref=sevd-2024-191-04\u0026p_endoctype=security+and+safety+notice\u0026p_file_name=sevd-2024-191-04.pdf"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2024-6528"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2024-004305"
      },
      {
        "db": "NVD",
        "id": "CVE-2024-6528"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2024-32452"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2024-004305"
      },
      {
        "db": "NVD",
        "id": "CVE-2024-6528"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2024-08-20T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2024-32452"
      },
      {
        "date": "2024-07-16T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2024-004305"
      },
      {
        "date": "2024-07-11T09:15:04.867000",
        "db": "NVD",
        "id": "CVE-2024-6528"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2024-08-20T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2024-32452"
      },
      {
        "date": "2024-07-16T02:54:00",
        "db": "JVNDB",
        "id": "JVNDB-2024-004305"
      },
      {
        "date": "2024-07-12T16:37:20.283000",
        "db": "NVD",
        "id": "CVE-2024-6528"
      }
    ]
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural \u00a0Schneider\u00a0Electric\u00a0 Cross-site scripting vulnerability in the product",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2024-004305"
      }
    ],
    "trust": 0.8
  }
}

cnvd-2024-32452

Vulnerability from cnvd

Title

施耐德电气（中国）有限公司TM241CE24T_U存在XSS漏洞

Description

施耐德电气（中国）有限公司是全球化电气企业，全球能效管理和自动化领域的专家。施耐德电气（中国）有限公司TM241CE24T_U存在XSS漏洞，攻击者可利用该漏洞获取用户cookie等敏感信息。

Severity

低

Patch Name

施耐德电气（中国）有限公司TM241CE24T_U存在XSS漏洞的补丁

Patch Description

施耐德电气（中国）有限公司是全球化电气企业，全球能效管理和自动化领域的专家。施耐德电气（中国）有限公司TM241CE24T_U存在XSS漏洞，攻击者可利用该漏洞获取用户cookie等敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-191-04.pdf

Impacted products

Name
施耐德电气（中国）有限公司 TM241CE24T_U 1.1.0.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-6528"
    }
  },
  "description": "\u65bd\u8010\u5fb7\u7535\u6c14\uff08\u4e2d\u56fd\uff09\u6709\u9650\u516c\u53f8\u662f\u5168\u7403\u5316\u7535\u6c14\u4f01\u4e1a\uff0c\u5168\u7403\u80fd\u6548\u7ba1\u7406\u548c\u81ea\u52a8\u5316\u9886\u57df\u7684\u4e13\u5bb6\u3002\n\n\u65bd\u8010\u5fb7\u7535\u6c14\uff08\u4e2d\u56fd\uff09\u6709\u9650\u516c\u53f8TM241CE24T_U\u5b58\u5728XSS\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7528\u6237cookie\u7b49\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "\u5434\u7ae5",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-191-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-191-04.pdf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-32452",
  "openTime": "2024-08-20",
  "patchDescription": "\u65bd\u8010\u5fb7\u7535\u6c14\uff08\u4e2d\u56fd\uff09\u6709\u9650\u516c\u53f8\u662f\u5168\u7403\u5316\u7535\u6c14\u4f01\u4e1a\uff0c\u5168\u7403\u80fd\u6548\u7ba1\u7406\u548c\u81ea\u52a8\u5316\u9886\u57df\u7684\u4e13\u5bb6\u3002\r\n\r\n\u65bd\u8010\u5fb7\u7535\u6c14\uff08\u4e2d\u56fd\uff09\u6709\u9650\u516c\u53f8TM241CE24T_U\u5b58\u5728XSS\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7528\u6237cookie\u7b49\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u65bd\u8010\u5fb7\u7535\u6c14\uff08\u4e2d\u56fd\uff09\u6709\u9650\u516c\u53f8TM241CE24T_U\u5b58\u5728XSS\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "\u65bd\u8010\u5fb7\u7535\u6c14\uff08\u4e2d\u56fd\uff09\u6709\u9650\u516c\u53f8 TM241CE24T_U 1.1.0.0"
  },
  "serverity": "\u4f4e",
  "submitTime": "2024-06-21",
  "title": "\u65bd\u8010\u5fb7\u7535\u6c14\uff08\u4e2d\u56fd\uff09\u6709\u9650\u516c\u53f8TM241CE24T_U\u5b58\u5728XSS\u6f0f\u6d1e"
}

CERTFR-2024-AVI-0549

Vulnerability from certfr_avis

Une vulnérabilité a été découverte dans les produits Schneider Electric. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

L'éditeur indique que le correctif n'est pas encore disponible pour la vulnérabilité CVE-2024-6528. Cependant, des actions sont proposées pour réduire le risque d'exploitation.

Impacted products

Vendor	Product	Description
Schneider Electric	N/A	Modicon Controllers M258 / LMC058 toutes versions pour la vulnérabilité CVE-2024-6528
Schneider Electric	N/A	Modicon Controllers M241 / M251 toutes versions pour la vulnérabilité CVE-2024-6528
Schneider Electric	N/A	Modicon Controllers M262 toutes versions pour la vulnérabilité CVE-2024-6528

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-6528 (GCVE-0-2024-6528)

Vulnerability from cvelistv5

ghsa-v53r-9457-4g25

Vulnerability from github

icsa-24-354-07

Vulnerability from csaf_cisa

fkie_cve-2024-6528

Vulnerability from fkie_nvd

var-202407-0346

Vulnerability from variot

cnvd-2024-32452

Vulnerability from cnvd

CERTFR-2024-AVI-0549

Vulnerability from certfr_avis

Solutions

Tags

Sightings

Nomenclature