Schneider.Electric.Telecontrol.Products.kw.dll.HTML.Injection

description-logoDescription

This indicates an attack attempt against a Cross-Site Scripting vulnerability in Multimedia Builder.
The vulnerability is caused by a lack of sanitizing the "evtvariablename" parameter that is passed to "kw.dll". It may allow remote attackers to execute arbitrary script code via a crafted HTTP request.

affected-products-logoAffected Products

Schneider Electric Kerweb before 3.0.1 and Kerwin before 6.0.1

Impact logoImpact

System Compromise: Remote attackers can execute arbitrary script code in the context of the affected site.

recomended-action-logoRecommended Actions

Upgrade to the latest version, available from the web site:
http://kerweb.software.informer.com/
http://kerwin.software.informer.com/

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)