Lucene search

IcscertCVE-2013-0663

HistoryApr 04, 2013 - 11:58 a.m.

CVE-2013-0663

2013-04-0411:58:48

CWE-352

icscert

web.nvd.nist.gov

cve-2013-0663

cross-site request forgery

csrf vulnerability

schneider electric

quantum 140noe77111

140noe77101

140nwm10000

m340 bmxnoc0401

bmxnoe0100x

bmxnoe011xx

premium tsxety4103

tsxety5103

tsxwmy100

plc modules

nvd

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

7.5

Confidence

Low

EPSS

0.003

Percentile

69.3%

JSON

Cross-site request forgery (CSRF) vulnerability on the Schneider Electric Quantum 140NOE77111, 140NOE77101, and 140NWM10000; M340 BMXNOC0401, BMXNOE0100x, and BMXNOE011xx; and Premium TSXETY4103, TSXETY5103, and TSXWMY100 PLC modules allows remote attackers to hijack the authentication of arbitrary users for requests that execute commands, as demonstrated by modifying HTTP credentials.

Affected configurations

Nvd

Node

schneider-electricmodicon_quantum_plcMatch140noe77101

schneider-electricmodicon_quantum_plcMatch140noe77111

schneider-electricmodicon_quantum_plcMatch140nwm10000

Node

schneider-electricmodicon_m340Matchbmxnoc0401

schneider-electricmodicon_m340Matchbmxnoe011xx

schneider-electricmodicon_m340Matchbmxnoe0100x

Node

schneider-electricmodicon_premiumMatchtsxety4103

schneider-electricmodicon_premiumMatchtsxety5103

schneider-electricmodicon_premiumMatchtsxwmy100

VendorProductVersionCPE
schneider-electricmodicon_quantum_plc140noe77101cpe:2.3:h:schneider-electric:modicon_quantum_plc:140noe77101:*:*:*:*:*:*:*
schneider-electricmodicon_quantum_plc140noe77111cpe:2.3:h:schneider-electric:modicon_quantum_plc:140noe77111:*:*:*:*:*:*:*
schneider-electricmodicon_quantum_plc140nwm10000cpe:2.3:h:schneider-electric:modicon_quantum_plc:140nwm10000:*:*:*:*:*:*:*
schneider-electricmodicon_m340bmxnoc0401cpe:2.3:h:schneider-electric:modicon_m340:bmxnoc0401:*:*:*:*:*:*:*
schneider-electricmodicon_m340bmxnoe011xxcpe:2.3:h:schneider-electric:modicon_m340:bmxnoe011xx:*:*:*:*:*:*:*
schneider-electricmodicon_m340bmxnoe0100xcpe:2.3:h:schneider-electric:modicon_m340:bmxnoe0100x:*:*:*:*:*:*:*
schneider-electricmodicon_premiumtsxety4103cpe:2.3:h:schneider-electric:modicon_premium:tsxety4103:*:*:*:*:*:*:*
schneider-electricmodicon_premiumtsxety5103cpe:2.3:h:schneider-electric:modicon_premium:tsxety5103:*:*:*:*:*:*:*
schneider-electricmodicon_premiumtsxwmy100cpe:2.3:h:schneider-electric:modicon_premium:tsxwmy100:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
schneider-electric	modicon_quantum_plc	140noe77101	cpe:2.3:h:schneider-electric:modicon_quantum_plc:140noe77101:::::::*
schneider-electric	modicon_quantum_plc	140noe77111	cpe:2.3:h:schneider-electric:modicon_quantum_plc:140noe77111:::::::*
schneider-electric	modicon_quantum_plc	140nwm10000	cpe:2.3:h:schneider-electric:modicon_quantum_plc:140nwm10000:::::::*
schneider-electric	modicon_m340	bmxnoc0401	cpe:2.3:h:schneider-electric:modicon_m340:bmxnoc0401:::::::*
schneider-electric	modicon_m340	bmxnoe011xx	cpe:2.3:h:schneider-electric:modicon_m340:bmxnoe011xx:::::::*
schneider-electric	modicon_m340	bmxnoe0100x	cpe:2.3:h:schneider-electric:modicon_m340:bmxnoe0100x:::::::*
schneider-electric	modicon_premium	tsxety4103	cpe:2.3:h:schneider-electric:modicon_premium:tsxety4103:::::::*
schneider-electric	modicon_premium	tsxety5103	cpe:2.3:h:schneider-electric:modicon_premium:tsxety5103:::::::*
schneider-electric	modicon_premium	tsxwmy100	cpe:2.3:h:schneider-electric:modicon_premium:tsxwmy100:::::::*

References

ics-cert.us-cert.gov/pdf/ICSA-13-077-01A.pdf

www.schneider-electric.com/download/ww/en/details/35081317-Vulnerability-Disclosure-for-Quantum-Premium-and-M340/

www.schneider-electric.com/download/ww/en/file/36555639-SEVD-2013-023-01.pdf/?fileName=SEVD-2013-023-01.pdf&reference=SEVD-2013-023-01&docType=Technical-paper

www.exploit-db.com/exploits/44678/