CVE-2013-0663

2013-04-0411:58:00

CWE-352

[email protected]

web.nvd.nist.gov

cve-2013-0663

cross-site request forgery

csrf vulnerability

schneider electric

quantum 140noe77111

140noe77101

140nwm10000

m340 bmxnoc0401

bmxnoe0100x

bmxnoe011xx

premium tsxety4103

tsxety5103

tsxwmy100

plc modules

nvd

7.5 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

67.7%

JSON

Cross-site request forgery (CSRF) vulnerability on the Schneider Electric Quantum 140NOE77111, 140NOE77101, and 140NWM10000; M340 BMXNOC0401, BMXNOE0100x, and BMXNOE011xx; and Premium TSXETY4103, TSXETY5103, and TSXWMY100 PLC modules allows remote attackers to hijack the authentication of arbitrary users for requests that execute commands, as demonstrated by modifying HTTP credentials.

CPENameOperatorVersion
schneider-electric:modicon_quantum_plcschneider-electric modicon quantum plceq140nwm10000
schneider-electric:modicon_quantum_plcschneider-electric modicon quantum plceq140noe77101
schneider-electric:modicon_quantum_plcschneider-electric modicon quantum plceq140noe77111
schneider-electric:modicon_m340schneider-electric modicon m340eqbmxnoe011xx
schneider-electric:modicon_m340schneider-electric modicon m340eqbmxnoc0401
schneider-electric:modicon_m340schneider-electric modicon m340eqbmxnoe0100x
schneider-electric:modicon_premiumschneider-electric modicon premiumeqtsxety5103
schneider-electric:modicon_premiumschneider-electric modicon premiumeqtsxety4103
schneider-electric:modicon_premiumschneider-electric modicon premiumeqtsxwmy100

CPE	Name	Operator	Version
schneider-electric:modicon_quantum_plc	schneider-electric modicon quantum plc	eq	140nwm10000
schneider-electric:modicon_quantum_plc	schneider-electric modicon quantum plc	eq	140noe77101
schneider-electric:modicon_quantum_plc	schneider-electric modicon quantum plc	eq	140noe77111
schneider-electric:modicon_m340	schneider-electric modicon m340	eq	bmxnoe011xx
schneider-electric:modicon_m340	schneider-electric modicon m340	eq	bmxnoc0401
schneider-electric:modicon_m340	schneider-electric modicon m340	eq	bmxnoe0100x
schneider-electric:modicon_premium	schneider-electric modicon premium	eq	tsxety5103
schneider-electric:modicon_premium	schneider-electric modicon premium	eq	tsxety4103
schneider-electric:modicon_premium	schneider-electric modicon premium	eq	tsxwmy100

References

ics-cert.us-cert.gov/pdf/ICSA-13-077-01A.pdf

www.schneider-electric.com/download/ww/en/details/35081317-Vulnerability-Disclosure-for-Quantum-Premium-and-M340/

www.schneider-electric.com/download/ww/en/file/36555639-SEVD-2013-023-01.pdf/?fileName=SEVD-2013-023-01.pdf&reference=SEVD-2013-023-01&docType=Technical-paper

www.exploit-db.com/exploits/44678/