Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2013-0663

Cross-site request forgery (CSRF) vulnerability on the Schneider Electric Quantum 140NOE77111, 140NOE77101, and 140NWM10000; M340 BMXNOC0401, BMXNOE0100x, and BMXNOE011xx; and Premium TSXETY4103, TSXETY5103, and TSXWMY100 PLC modules allows remote attackers to hijack the authentication of arbitrary users for requests that execute commands, as demonstrated by modifying HTTP credentials.

Published

2013-04-04T11:58:48.687

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Hardware	schneider-electric	modicon_quantum_plc	140noe77101	Yes
Hardware	schneider-electric	modicon_quantum_plc	140noe77111	Yes
Hardware	schneider-electric	modicon_quantum_plc	140nwm10000	Yes
Hardware	schneider-electric	modicon_m340	bmxnoc0401	Yes
Hardware	schneider-electric	modicon_m340	bmxnoe011xx	Yes
Hardware	schneider-electric	modicon_m340	bmxnoe0100x	Yes
Hardware	schneider-electric	modicon_premium	tsxety4103	Yes
Hardware	schneider-electric	modicon_premium	tsxety5103	Yes
Hardware	schneider-electric	modicon_premium	tsxwmy100	Yes

References

http://ics-cert.us-cert.gov/pdf/ICSA-13-077-01A.pdf US Government Resource ([email protected])
http://www.schneider-electric.com/download/ww/en/details/35081317-Vulnerability-Disclosure-for-Quantum-Premium-and-M340/ Vendor Advisory ([email protected])
http://www.schneider-electric.com/download/ww/en/file/36555639-SEVD-2013-023-01.pdf/?fileName=SEVD-2013-023-01.pdf&reference=SEVD-2013-023-01&docType=Technical-paper Vendor Advisory ([email protected])
https://www.exploit-db.com/exploits/44678/ ([email protected])
http://ics-cert.us-cert.gov/pdf/ICSA-13-077-01A.pdf US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.schneider-electric.com/download/ww/en/details/35081317-Vulnerability-Disclosure-for-Quantum-Premium-and-M340/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.schneider-electric.com/download/ww/en/file/36555639-SEVD-2013-023-01.pdf/?fileName=SEVD-2013-023-01.pdf&reference=SEVD-2013-023-01&docType=Technical-paper Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/44678/ (af854a3a-2127-422b-91ae-364da2661108)