Details of VAR-E-201205-0174

ID

VAR-E-201205-0174

CVE

cve_id:

CVE-2012-1990

Trust: 2.4

sources: BID: 53409 // PACKETSTORM: 112487 // EXPLOIT-DB: 37137 // EDBNET: 58404

EDB ID

37137

TITLE

Schneider Electric Telecontrol Kerweb 3.0.0/6.0.0 - 'kw.dll' HTML Injection - PHP webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 37137

DESCRIPTION

Schneider Electric Telecontrol Kerweb 3.0.0/6.0.0 - 'kw.dll' HTML Injection. CVE-2012-1990CVE-81788 . webapps exploit for PHP platform

Trust: 0.6

sources: EXPLOIT-DB: 37137

AFFECTED PRODUCTS

vendor:	schneider	model:	electric telecontrol kerweb	scope:	eq	version:	3.0.0/6.0.0	Trust: 1.6
vendor:	kerweb	model:	kerwin	scope:	eq	version:	/	Trust: 0.5
vendor:	schneider	model:	electric telecontrol kerwin	scope:	eq	version:	6.0.0	Trust: 0.3
vendor:	schneider	model:	electric telecontrol kerweb	scope:	eq	version:	3.0.0	Trust: 0.3
vendor:	schneider	model:	electric telecontrol kerwin	scope:	ne	version:	6.0.1	Trust: 0.3
vendor:	schneider	model:	electric telecontrol kerweb	scope:	ne	version:	3.0.1	Trust: 0.3

sources: BID: 53409 // PACKETSTORM: 112487 // EXPLOIT-DB: 37137 // EDBNET: 58404

EXPLOIT

source: https://www.securityfocus.com/bid/53409/info

Multiple Schneider Electric Telecontrol products are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied data before it is used in dynamic content.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

The following products are affected:

Schneider Electric Telecontrol Kerweb versions prior to 3.0.1
Schneider Electric Telecontrol Kerwin versions prior to 6.0.1

http://www.example.com/kw.dll?page=evts.xml&sessionid=xxx&nomenu=&typeevtwin=alms&dt=&gtvariablevalue=&ltvariablevalue=&variablevalue=&nevariablevalue=&evtclass=&evtdevicezone=&evtdevicecountry=&evtdeviceregion=&evtstatustype=&evtseveritytype=&evtstatus=&evtseverity=&evtlevel=&gtdateapp=&ltdateapp=&gtdaterec=&ltdaterec=&evtvariablename=[XSS]

Trust: 1.0

sources: EXPLOIT-DB: 37137

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 37137

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 37137

TYPE

'kw.dll' HTML Injection

Trust: 1.0

sources: EXPLOIT-DB: 37137

CREDITS

phocean

Trust: 0.6

sources: EXPLOIT-DB: 37137

EXTERNAL IDS

db:	NVD	id:	CVE-2012-1990	Trust: 2.4
db:	BID	id:	53409	Trust: 1.9
db:	EXPLOIT-DB	id:	37137	Trust: 1.6
db:	EDBNET	id:	58404	Trust: 0.6
db:	PACKETSTORM	id:	112487	Trust: 0.5

sources: BID: 53409 // PACKETSTORM: 112487 // EXPLOIT-DB: 37137 // EDBNET: 58404

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2012-1990	Trust: 2.1
url:	https://www.securityfocus.com/bid/53409/info	Trust: 1.0
url:	https://www.exploit-db.com/exploits/37137/	Trust: 0.6
url:	http://kerweb.software.informer.com/	Trust: 0.3
url:	http://kerwin.software.informer.com/	Trust: 0.3

sources: BID: 53409 // PACKETSTORM: 112487 // EXPLOIT-DB: 37137 // EDBNET: 58404

SOURCES

db:	BID	id:	53409
db:	PACKETSTORM	id:	112487
db:	EXPLOIT-DB	id:	37137
db:	EDBNET	id:	58404

LAST UPDATE DATE

2022-07-27T09:35:41.915000+00:00

SOURCES UPDATE DATE

db:

BID

id:

53409

date:

2012-05-06T00:00:00

SOURCES RELEASE DATE

db:	BID	id:	53409	date:	2012-05-06T00:00:00
db:	PACKETSTORM	id:	112487	date:	2012-05-06T02:20:00
db:	EXPLOIT-DB	id:	37137	date:	2012-05-06T00:00:00
db:	EDBNET	id:	58404	date:	2012-05-06T00:00:00

tag:	exploit	Trust: 0.5
tag:	vulnerability	Trust: 0.5
tag:	xss	Trust: 0.5

ID

CVE

EDB ID

TITLE

DESCRIPTION

AFFECTED PRODUCTS

EXPLOIT

EXPLOIT LANGUAGE

PRICE

TYPE

TAGS

CREDITS

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

SOURCES UPDATE DATE

SOURCES RELEASE DATE