Leviton AcquiSuite and Energy Monitoring Hub Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Leviton AcquiSuite version A8810 and Energy Monitoring Hub version A8812. This vulnerability allows an attacker to inject a malicious payload into URL parameters, which would be executed in the context of the user's browser. Exploitation of this vulnerability could lead to the theft of session tokens and unauthorized control over the service.

Impact

Exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the user's browser, potentially stealing session tokens and gaining control over the affected service.

Remediation

Leviton has not provided a response regarding mitigation for this vulnerability. Users are encouraged to contact Leviton's customer support for more information. CISA recommends minimizing network exposure for control system devices, using firewalls to isolate control system networks from business networks, and employing secure remote access methods such as VPNs.