CVE-2023-32659
6.5
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:L
Summary
SUBNET PowerSYSTEM Center versions 2020 U10 and prior contain a cross-site scripting vulnerability that may allow an attacker to inject malicious code into report header graphic files that could propagate out of the system and reach users who are subscribed to email notifications.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SUBNET Solutions Inc. | PowerSYSTEM Center | 0 <= 2020 U10 | affected |
Weaknesses
- CWE-79: CWE-79 Cross-site Scripting
Workarounds
SUBNET Solutions recommends users to follow the following workarounds:
- Users should verify that SVG files do not contain HTML elements or scripts and validate that JPG and PNG files are not SVG files.
- Users should verify network security rules to ensure that outbound connections to the internet are not possible.
- If the above cannot be performed or notifications are not required, disable email notifications for reports from PowerSYSTEM Center.
- Monitor user activity and ensure application control rules only allow preauthorized executables to run.
- Deny users to run other executables on client access servers (PowerSYSTEM Center front end access point).
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.