Your one-stop web resource providing safety and security information to manufacturers

AVEVA Software, LLC (AVEVA) has an update to mitigate a cross-site scripting vulnerability in its InTouch Access Anywhere, according to a report with NCCIC.

Successful exploitation of this remotely exploitable vulnerability, discovered by Google’s Security Team, may allow attackers to obtain sensitive information and/or execute Javascript or HTML code.

RELATED STORIES
WECON Mitigation for LeviStudioU Holes
Johnson Controls’ Error Message Mitigation
Davolink Clears Network Switch Hole
Moxa Fixes NPort 5210, 5230, 5232 Hole

The following versions of InTouch Access Anywhere, remote access software, use the vulnerable jQuery library:
• 2017 Update 2 and prior.

Vulnerable versions of jQuery are those prior to Version 3.0.0.

Cyber Security

In the issue, jQuery before Version 3.0.0 is vulnerable to cross-site scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVE-2015-9251 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

The product sees use mainly in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

AVEVA recommends users install update “InTouch Access Anywhere 2017 Update 2b” or later. (login required)

In addition, AVEVA published Security Bulletin LFSEC00000126.

Pin It on Pinterest

Share This