AVEVA Application Server IDE Persistent Cross-Site Scripting Vulnerability Allowing Privilege Escalation
Vulnerability
A persistent cross-site scripting vulnerability has been identified in the IDE component of AVEVA Application Server, affecting versions through 2023 R2 SP1 P02. This vulnerability allows an authenticated user with 'aaConfigTools' privileges to modify help files, injecting XSS that can be executed by other users, potentially leading to horizontal or vertical privilege escalation. The issue arises during configuration operations within the IDE, leaving runtime components unaffected.
Impact
Exploitation allows for unauthorized modification of help files and injection of cross-site scripting code, which can be executed by other users, leading to unauthorized privilege escalation.
Remediation
Users can upgrade to AVEVA System Platform 2023 R2 SP1 P03 or higher to address this vulnerability. It is also recommended to audit permissions to ensure only trusted users have 'aaConfigTools' privileges.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.