1. EXECUTIVE SUMMARY
- CVSS v4 8.2
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: RTU500 series
- Vulnerabilities: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Improper Validation of Specified Index, Position, or Offset in Input
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute cross-site scripting or trigger a denial-of-service condition on the affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports the following products are affected:
- RTU500 series: Versions 12.0.1 to 12.0.14
- RTU500 series: Versions 12.2.1 to 12.2.11
- RTU500 series: Versions 12.4.1 to 12.4.11
- RTU500 series: Versions 12.6.1 to 12.6.9
- RTU500 series: Versions 12.7.1 to 12.7.6
- RTU500 series: Versions 13.2.1 to 13.2.6
- RTU500 series: Versions 13.4.1 to 13.4.3
3.2 VULNERABILITY OVERVIEW
3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79
A vulnerability exists in the webserver that affects the RTU500 series product versions listed above. A malicious actor could perform cross-site scripting on the webserver due to an RDT language file being improperly sanitized.
CVE-2023-5767 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L).
A CVSS v4 score has also been calculated for CVE-2023-5767. A base score
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: