Parsons AccuWeather and Custom RSS Widget Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the AccuWeather and Custom RSS widget, part of Parsons Utility Enterprise Data Management and AclaraONE Utility Portal. This vulnerability allows an unauthenticated user to replace the RSS feed URL with a malicious one. Affected versions include Parsons Utility Enterprise Data Management versions 5.18, 5.03, 4.02 through 4.26, and 3.30, as well as AclaraONE Utility Portal versions prior to 1.22.

Impact

Exploitation of this vulnerability could enable an attacker to insert a malicious link into the RSS feed, potentially leading users to harmful sites or content.

Remediation

For AclaraONE On-Premise Users, a patch is available through the Aclara Connect Customer Portal. Aclara Support can also assist with applying the patch. For Parsons Utility Enterprise Data Management Users, this vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. AclaraONE Hosted Users have also been patched as of February 7, 2025.