Schneider Electric Altivar Process Drives and Communication Modules Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in multiple Schneider Electric products, including various Altivar Process Drives, Altivar Machine Drives, Altivar Soft Starters, and specific communication modules. This vulnerability allows unvalidated data injected by a malicious user to be executed, potentially leading to unauthorized modification or access to data in the victim's browser.

Impact

Exploitation of this vulnerability could result in cross-site scripting, allowing for the injection of malicious scripts that could be executed in the context of the user's browser.

Remediation

Users of the VW3A3530D: ATVdPAC module should upgrade to version 25.0, which includes a fix for this vulnerability. For other affected products, Schneider Electric is developing a remediation plan that will be communicated once available. In the meantime, users should apply general cybersecurity best practices, such as deactivating the web server when not in use, implementing network segmentation and firewalls to block unauthorized access to HTTP ports, and using VPNs for remote access.