AVEVA Software, LLC (AVEVA) has an update to mitigate a cross-site scripting vulnerability in its InTouch Access Anywhere, according to a report with NCCIC.
The following versions of InTouch Access Anywhere, remote access software, use the vulnerable jQuery library:
• 2017 Update 2 and prior.
Vulnerable versions of jQuery are those prior to Version 3.0.0.
CVE-2015-9251 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.
The product sees use mainly in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
AVEVA recommends users install update “InTouch Access Anywhere 2017 Update 2b” or later. (login required)
In addition, AVEVA published Security Bulletin LFSEC00000126.