Details of VAR-201702-0677

ID

VAR-201702-0677

CVE

CVE-2017-5157

TITLE

Schneider homeLYnk Controller LSS1001003 Cross-Site Scripting Vulnerability

Trust: 0.8

sources: IVD: 933d4e66-186c-4eee-8f95-82af659f1a68 // CNVD: CNVD-2017-01102

DESCRIPTION

An issue was discovered in Schneider Electric homeLYnk Controller, LSS100100, all versions prior to V1.5.0. The homeLYnk controller is susceptible to a cross-site scripting attack. User inputs can be manipulated to cause execution of JavaScript code. Schneider Electric homeLYnk Controller Contains a cross-site scripting vulnerability.Through expertly crafted user input, JavaScript The code may be executed. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. The SchneiderhomeLYnkControllerLSS1001003 is a logic controller. An attacker could exploit the vulnerability to execute arbitrary script code on a user's browser on an affected website, stealing a cookie-based authentication certificate and launching other attacks. LSS100100 is one of the versions

Trust: 2.7

sources: NVD: CVE-2017-5157 // JVNDB: JVNDB-2017-001603 // CNVD: CNVD-2017-01102 // BID: 95665 // IVD: 933d4e66-186c-4eee-8f95-82af659f1a68 // VULHUB: VHN-113360

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 933d4e66-186c-4eee-8f95-82af659f1a68 // CNVD: CNVD-2017-01102

AFFECTED PRODUCTS

vendor:	schneider electric	model:	homelynk controller lss100100	scope:	eq	version:	1.3.0	Trust: 1.6
vendor:	schneider electric	model:	homelynk controller lss100100	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	homelynk controller lss100100	scope:	lt	version:	v1.5.0	Trust: 0.8
vendor:	schneider	model:	electric homelynk controller lss100100	scope:	eq	version:	0	Trust: 0.6
vendor:	schneider electric	model:	homelynk controller lss100100	scope:	eq	version:	0	Trust: 0.3
vendor:	schneider electric	model:	homelynk controller lss100100	scope:	ne	version:	1.5.1	Trust: 0.3
vendor:	homelynk controller lss100100	model:	-	scope:	eq	version:	1.3.0	Trust: 0.2

sources: IVD: 933d4e66-186c-4eee-8f95-82af659f1a68 // CNVD: CNVD-2017-01102 // BID: 95665 // JVNDB: JVNDB-2017-001603 // CNNVD: CNNVD-201701-826 // NVD: CVE-2017-5157

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-5157
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-5157
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-01102
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201701-826
value:	MEDIUM
Trust: 0.6
IVD:	933d4e66-186c-4eee-8f95-82af659f1a68
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-113360
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-5157
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-01102
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	933d4e66-186c-4eee-8f95-82af659f1a68
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-113360
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-5157
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: IVD: 933d4e66-186c-4eee-8f95-82af659f1a68 // CNVD: CNVD-2017-01102 // VULHUB: VHN-113360 // JVNDB: JVNDB-2017-001603 // CNNVD: CNNVD-201701-826 // NVD: CVE-2017-5157

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-113360 // JVNDB: JVNDB-2017-001603 // NVD: CVE-2017-5157

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201701-826

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201701-826

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-001603

PATCH

title:	SEVD-2017-011-01	url:	http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-011-01	Trust: 0.8
title:	Patch for SchneiderhomeLYnkControllerLSS1001003 Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/88800	Trust: 0.6
title:	Schneider Electric homeLYnk Controller LSS1001003 Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68287	Trust: 0.6

sources: CNVD: CNVD-2017-01102 // JVNDB: JVNDB-2017-001603 // CNNVD: CNNVD-201701-826

EXTERNAL IDS

db:	NVD	id:	CVE-2017-5157	Trust: 3.6
db:	BID	id:	95665	Trust: 2.6
db:	ICS CERT	id:	ICSA-17-019-01	Trust: 2.0
db:	CNNVD	id:	CNNVD-201701-826	Trust: 0.9
db:	CNVD	id:	CNVD-2017-01102	Trust: 0.8
db:	ICS CERT	id:	ICSA-17-019-01A	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-001603	Trust: 0.8
db:	SCHNEIDER	id:	SEVD-2017-011-01	Trust: 0.3
db:	IVD	id:	933D4E66-186C-4EEE-8F95-82AF659F1A68	Trust: 0.2
db:	VULHUB	id:	VHN-113360	Trust: 0.1

sources: IVD: 933d4e66-186c-4eee-8f95-82af659f1a68 // CNVD: CNVD-2017-01102 // VULHUB: VHN-113360 // BID: 95665 // JVNDB: JVNDB-2017-001603 // CNNVD: CNNVD-201701-826 // NVD: CVE-2017-5157

REFERENCES

url:	http://www.securityfocus.com/bid/95665	Trust: 2.3
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-019-01	Trust: 2.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5157	Trust: 0.8
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-019-01a	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-5157	Trust: 0.8
url:	http://www.schneider-electric.com/en/product-range/62143-homelynk-?n=1687035610	Trust: 0.3
url:	www.controlmicrosystems.com	Trust: 0.3
url:	http://www.schneider-electric.com/en/download/document/sevd-2017-011-01/	Trust: 0.3

sources: CNVD: CNVD-2017-01102 // VULHUB: VHN-113360 // BID: 95665 // JVNDB: JVNDB-2017-001603 // CNNVD: CNNVD-201701-826 // NVD: CVE-2017-5157

CREDITS

Mohammed Shameem

Trust: 0.9

sources: BID: 95665 // CNNVD: CNNVD-201701-826

SOURCES

db:	IVD	id:	933d4e66-186c-4eee-8f95-82af659f1a68
db:	CNVD	id:	CNVD-2017-01102
db:	VULHUB	id:	VHN-113360
db:	BID	id:	95665
db:	JVNDB	id:	JVNDB-2017-001603
db:	CNNVD	id:	CNNVD-201701-826
db:	NVD	id:	CVE-2017-5157

LAST UPDATE DATE

2025-04-20T23:26:13.473000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-01102	date:	2017-02-08T00:00:00
db:	VULHUB	id:	VHN-113360	date:	2017-02-17T00:00:00
db:	BID	id:	95665	date:	2017-01-23T00:12:00
db:	JVNDB	id:	JVNDB-2017-001603	date:	2017-03-08T00:00:00
db:	CNNVD	id:	CNNVD-201701-826	date:	2022-02-07T00:00:00
db:	NVD	id:	CVE-2017-5157	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	933d4e66-186c-4eee-8f95-82af659f1a68	date:	2017-02-08T00:00:00
db:	CNVD	id:	CNVD-2017-01102	date:	2017-02-08T00:00:00
db:	VULHUB	id:	VHN-113360	date:	2017-02-13T00:00:00
db:	BID	id:	95665	date:	2017-01-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-001603	date:	2017-03-08T00:00:00
db:	CNNVD	id:	CNNVD-201701-826	date:	2017-01-19T00:00:00
db:	NVD	id:	CVE-2017-5157	date:	2017-02-13T21:59:02.767