Schneider Electric released a fix to take care of a cross-site scripting vulnerability in its PowerLogic PM5560, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability could allow user input to be manipulated, allowing for remote code execution.
A power management system, PowerLogic PM5560 all versions prior to firmware Version 2.5.4 suffer from the issue, discovered Ezequiel Fernandez and Bertin Jose, who worked with Schneider Electric on the vulnerability.
The PowerLogic PM5560 product is susceptible to cross-site scripting attack on its web browser. An attacker may be able to manipulate inputs to cause execution of java script code.
CVE-2018-7795 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.2.
The product sees use mainly in the energy sector, and it sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Schneider Electric has released a fix to address this vulnerability.
For more information see the Schneider Electric security notification.