CVE-2017-5156

A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external site to access internal RDP systems on behalf of the currently logged in user.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
icscertCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
VendorProductVersion
avevawonderware_intouch_access_anywhere
𝑥
≤ 11.5.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114/
http://www.securityfocus.com/bid/97256
https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01
http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114/
http://www.securityfocus.com/bid/97256
https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01