CVE-2024-8401

Summary

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an authenticated attacker modifies folder names within the context of the product.

Affected Software

VendorProductVersion RangeStatus
Schneider ElectricEcoStruxure Power Monitoring Expert (PME) 20212021 CU1 and prioraffected
Schneider ElectricEcoStruxure Power Monitoring Expert (PME) 20202020 CU3 and prioraffected
Schneider ElectricEcoStruxure Power Operation (EPO) 2022CU4 and prioraffected
Schneider ElectricEcoStruxure Power Operation (EPO) 2022 – Advanced Reporting and Dashboards ModuleCU4 and prioraffected
Schneider ElectricEcoStruxure Power Operation (EPO) 2021CU4 and prioraffected
Schneider ElectricEcoStruxure Power Operation (EPO) 2021 – Advanced Reporting and Dashboards ModuleCU3 with Hotfix 2 and prioraffected
Schneider ElectricEcoStruxure Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards ModuleAll Versionsaffected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References