4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
52.0%
Successful exploitation of this vulnerability could allow loss of sensitive information and execution of arbitrary code.
The following versions of Scada-LTS, an open-source HMI, are affected:
3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (βCROSS-SITE SCRIPTINGβ) CWE-79
Scada-LTS versions 2.7.4 and prior are vulnerable to cross-site scripting. This could allow a remote attacker to craft malicious URLs that may execute arbitrary code in an authenticated userβs browser and print sensitive information.
CVE-2015-1179 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).
Hunter Wodzenski reported this vulnerability to CISA.
Scada-LTS has fixed this vulnerability and Scada-LTS users are recommended to upgrade to version 2.7.4.1 or later.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1179
cisa.gov/ics
cisa.gov/ics
cwe.mitre.org/data/definitions/79.html
github.com/SCADA-LTS/Scada-LTS/releases
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Scada-LTS%20Third%20Party%20Component+https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02
us-cert.cisa.gov/ics/Recommended-Practices
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02&title=Scada-LTS%20Third%20Party%20Component
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Scada-LTS%20Third%20Party%20Component&body=www.cisa.gov/news-events/ics-advisories/icsa-23-115-02