CVE-2023-2072
Vulnerability from cvelistv5
Published
2023-07-11 13:05
Modified
2024-11-07 17:29
Summary
Rockwell Automation PowerMonitor 1000 Cross-Site Scripting Vulnerability
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:12:19.922Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139761"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:h:rockwellautomation:powermonitor_1000:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "powermonitor_1000",
            "vendor": "rockwellautomation",
            "versions": [
              {
                "status": "affected",
                "version": "4.011"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-2072",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-07T17:28:29.773714Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-07T17:29:16.646Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PowerMonitor 1000",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "V4.011"
            }
          ]
        }
      ],
      "datePublic": "2023-07-11T13:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe Rockwell Automation PowerMonitor 1000 contains stored cross-site scripting vulnerabilities within the web page of the product. \u0026nbsp;The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "The Rockwell Automation PowerMonitor 1000 contains stored cross-site scripting vulnerabilities within the web page of the product. \u00a0The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-11T13:05:56.994Z",
        "orgId": "b73dd486-f505-4403-b634-40b078b177f0",
        "shortName": "Rockwell"
      },
      "references": [
        {
          "url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139761"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cul\u003e\u003cli\u003eCustomers should upgrade to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://compatibility.rockwellautomation.com/Pages/MultiProductCompareSelections.aspx?crumb=113\u0026amp;versions=58300,55146,54770\"\u003eV4.019\u003c/a\u003e\u0026nbsp;which mitigates this issue\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "\n  *  Customers should upgrade to  V4.019 https://compatibility.rockwellautomation.com/Pages/MultiProductCompareSelections.aspx \u00a0which mitigates this issue\n\n\n\n\n\n"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Rockwell Automation PowerMonitor 1000 Cross-Site Scripting Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0",
    "assignerShortName": "Rockwell",
    "cveId": "CVE-2023-2072",
    "datePublished": "2023-07-11T13:05:56.994Z",
    "dateReserved": "2023-04-14T18:04:06.540Z",
    "dateUpdated": "2024-11-07T17:29:16.646Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-2072\",\"sourceIdentifier\":\"PSIRT@rockwellautomation.com\",\"published\":\"2023-07-11T14:15:09.403\",\"lastModified\":\"2023-07-18T21:02:57.793\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Rockwell Automation PowerMonitor 1000 contains stored cross-site scripting vulnerabilities within the web page of the product. \u00a0The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.\\n\\n\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"PSIRT@rockwellautomation.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"PSIRT@rockwellautomation.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:rockwellautomation:powermonitor_1000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"882E9A4B-4CBB-40B5-B411-CDF3C33B1156\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:rockwellautomation:powermonitor_1000_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7C04FB15-DF14-4CD3-B2F3-27463AF3C900\"}]}]}],\"references\":[{\"url\":\"https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139761\",\"source\":\"PSIRT@rockwellautomation.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.