CVE-2015-6461
EUVD-2015-640221.03.2019, 19:29
Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC web server, which, when launched, will result in the browser redirecting to a remote file via a Java script loaded with the web page.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| schneider-electric | bmxnoc0401_firmware | - |
| schneider-electric | bmxnoe0100_firmware | - |
| schneider-electric | bmxnoe0110_firmware | - |
| schneider-electric | bmxnoe0110h_firmware | - |
| schneider-electric | bmxnor0200h_firmware | - |
| schneider-electric | modicon_m340_bmxp342020_firmware | - |
| schneider-electric | modicon_m340_bmxp342020h_firmware | - |
| schneider-electric | modicon_m340_bmxp342030_firmware | - |
| schneider-electric | modicon_m340_bmxp3420302_firmware | - |
| schneider-electric | modicon_m340_bmxp3420302h_firmware | - |
| schneider-electric | modicon_m340_bmxp342030h_firmware | - |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.