CVE-2017-13997

A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 or prior, and InTouch Machine Edition v8.0 SP2 or prior. InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server.
References
Link Resource
http://www.securityfocus.com/bid/100952 Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01 Mitigation Third Party Advisory US Government Resource
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:schneider-electric:wonderware_indusoft_web_studio:*:sp2:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:wonderware_intouch:*:sp2:*:*:machine:*:*:*

History

No history.

Information

Published : 2017-10-03 01:29

Updated : 2024-02-04 19:29


NVD link : CVE-2017-13997

Mitre link : CVE-2017-13997

CVE.ORG link : CVE-2017-13997


JSON object : View

Products Affected

schneider-electric

  • wonderware_indusoft_web_studio
  • wonderware_intouch
CWE
CWE-306

Missing Authentication for Critical Function