Today the DHS ICS-CERT published a control system security
advisory for a product from Schneider Electric. This advisory
describes a cross-site scripting vulnerability in the Schneider homeLYnk
Controller. The vulnerability was reported by Mohammed Shameem ("@_M_Shahnawaz).
Schneider has produced a firmware upgrade to mitigate the vulnerability. There
is no indication that Shameem has been provided an opportunity to verify the
efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to cause execution of java script code.
NOTE: ICS-CERT has corrected their problem with naming these
advisories. All advisories published since the first of the year are now named
with a recognizable vendor/product name. It did not require a new formatting change.
Posts
No comments:
Post a Comment