Description
A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the software’s web application to redirect to the chosen domain after a successful login is performed.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Affected products
- Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2020 CU2 and prior – Version 2020 CU2 and prior
- Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2021 CU1 and prior – Version 2021 CU1 and prior
- Schneider Electric / EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards ModuleAdvanced Reporting and Dashboards Module 2021 prior to CU2 for EcoStruxure Power Operation 2021 – Advanced Reporting and Dashboards Module 2021 prior to CU2 for EcoStruxure Power Operation 2021
- Schneider Electric / EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards ModuleAdvanced Reporting and Dashboards Module 2020 prior to CU3 – Advanced Reporting and Dashboards Module 2020 prior to CU3
- Schneider Electric / EcoStruxure Power SCADA Operation (PSO) - Advanced Reporting and Dashboards ModuleEcoStruxure Power SCADA Operation (PSO) 2020 or 2020 R2 – EcoStruxure Power SCADA Operation (PSO) 2020 or 2020 R2