Sign-up

ID

VAR-201802-0613


CVE

CVE-2017-9963


TITLE

Schneider Electric PowerSCADA Anywhere and Citect Anywhere Cross-Site Request Forgery Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2018-06429 // CNNVD: CNNVD-201706-1085

DESCRIPTION

A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack. PowerSCADA Anywhere Contains a cross-site request forgery vulnerability.Information may be obtained and information may be altered. Schneider Electric PowerSCADA Anywhere and Citect Anywhere are products of Schneider Electric, France. Schneider Electric PowerSCADA Anywhere is a substation monitoring system. PowerSCADA Expert is one of the data acquisition software. Citect Anywhere is a mobile application for PowerSCADA Anywhere. A remote attacker could exploit this vulnerability to perform unauthorized operations

Trust: 2.34

sources: NVD: CVE-2017-9963 // JVNDB: JVNDB-2017-012739 // CNVD: CNVD-2018-06429 // IVD: e2e9931e-39ab-11e9-8ae4-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2e9931e-39ab-11e9-8ae4-000c29342cb1 // CNVD: CNVD-2018-06429

AFFECTED PRODUCTS

vendor:schneider electricmodel:powerscada anywherescope:eqversion:1.0

Trust: 1.6

vendor:schneider electricmodel:powerscada anywherescope:eqversion:v1.0

Trust: 0.8

vendor:schneidermodel:electric citect anywherescope:eqversion:1.0

Trust: 0.6

vendor:schneidermodel:electric powerscada anywherescope:eqversion:1.0

Trust: 0.6

vendor:powerscada anywheremodel: - scope:eqversion:1.0

Trust: 0.2

sources: IVD: e2e9931e-39ab-11e9-8ae4-000c29342cb1 // CNVD: CNVD-2018-06429 // JVNDB: JVNDB-2017-012739 // CNNVD: CNNVD-201706-1085 // NVD: CVE-2017-9963

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9963
value: HIGH

Trust: 1.0

NVD: CVE-2017-9963
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-06429
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-1085
value: HIGH

Trust: 0.6

IVD: e2e9931e-39ab-11e9-8ae4-000c29342cb1
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2017-9963
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-06429
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2e9931e-39ab-11e9-8ae4-000c29342cb1
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-9963
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: IVD: e2e9931e-39ab-11e9-8ae4-000c29342cb1 // CNVD: CNVD-2018-06429 // JVNDB: JVNDB-2017-012739 // CNNVD: CNNVD-201706-1085 // NVD: CVE-2017-9963

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2017-012739 // NVD: CVE-2017-9963

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-1085

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201706-1085

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012739

PATCH
title:Security Notification - PowerSCADA Anywhereurl:https://www.schneider-electric.com/en/download/document/SEVD-2017-173-01/
Trust: 0.8
title:Security Notification - Citect Anywhereurl:https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere
Trust: 0.8
title:Patch for Schneider Electric PowerSCADA Anywhere and Citect Anywhere cross-site request forgery vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/123529
Trust: 0.6
title:Schneider Electric PowerSCADA Anywhere  and Citect Anywhere Cross-site request forgery vulnerability Repair measuresurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91928
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-06429 // 
            
            
            
            JVNDB: JVNDB-2017-012739 // 
            
            
            
            CNNVD: CNNVD-201706-1085

EXTERNAL IDS
db:NVDid:CVE-2017-9963
Trust: 3.2
db:SCHNEIDERid:SEVD-2017-173-01
Trust: 2.2
db:CNVDid:CNVD-2018-06429
Trust: 0.8
db:CNNVDid:CNNVD-201706-1085
Trust: 0.8
db:JVNDBid:JVNDB-2017-012739
Trust: 0.8
db:IVDid:E2E9931E-39AB-11E9-8AE4-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e2e9931e-39ab-11e9-8ae4-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-06429 // 
            
            
            
            JVNDB: JVNDB-2017-012739 // 
            
            
            
            CNNVD: CNNVD-201706-1085 // 
            
            
            
            NVD: CVE-2017-9963

REFERENCES
url:http://www.schneider-electric.com/en/download/document/sevd-2017-173-01/
Trust: 2.2
url:https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9071-security-notification-citect-anywhere
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9963
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9963
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2018-06429 // 
            
            
            
            JVNDB: JVNDB-2017-012739 // 
            
            
            
            CNNVD: CNNVD-201706-1085 // 
            
            
            
            NVD: CVE-2017-9963

SOURCES
db:IVDid:e2e9931e-39ab-11e9-8ae4-000c29342cb1
db:CNVDid:CNVD-2018-06429
db:JVNDBid:JVNDB-2017-012739
db:CNNVDid:CNNVD-201706-1085
db:NVDid:CVE-2017-9963

LAST UPDATE DATE
2024-11-23T22:12:40.299000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-06429date:2018-03-27T00:00:00
db:JVNDBid:JVNDB-2017-012739date:2018-04-11T00:00:00
db:CNNVDid:CNNVD-201706-1085date:2019-04-24T00:00:00
db:NVDid:CVE-2017-9963date:2024-11-21T03:37:15.757

SOURCES RELEASE DATE
db:IVDid:e2e9931e-39ab-11e9-8ae4-000c29342cb1date:2018-03-27T00:00:00
db:CNVDid:CNVD-2018-06429date:2018-03-27T00:00:00
db:JVNDBid:JVNDB-2017-012739date:2018-04-11T00:00:00
db:CNNVDid:CNNVD-201706-1085date:2017-06-27T00:00:00
db:NVDid:CVE-2017-9963date:2018-02-12T23:29:00.213