Today the DHS ICS-CERT published a control system security advisory for a product from Schneider Electric. This advisory describes a cross-site scripting vulnerability in the Schneider homeLYnk Controller. The vulnerability was reported by Mohammed Shameem ("@_M_Shahnawaz). Schneider has produced a firmware upgrade to mitigate the vulnerability. There is no indication that Shameem has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to cause execution of java script code.
NOTE: ICS-CERT has corrected their problem with naming these advisories. All advisories published since the first of the year are now named with a recognizable vendor/product name. It did not require a new formatting change.