Bird_banner_small4
Schneider Electric U.motion Builder css.inc.php Arbitrary File Inclusion
TSL ID TSL20170612-07
CVE ID(s) Not available.
Severity Moderate
Description

An arbitrary file inclusion vulnerability has been reported in Schneider Electric U.motion Builder. This vulnerability is caused by improper sanitization of directory traversal characters(..) by css.inc.php.

A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to the server. Successful exploitation results in information disclosure.

The vendor has not released a patch to address this vulnerability.

Affected Products
  • Schneider Electric U.motion Builder 1.2.1 and prior
CVSS Score Base 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is NONE
  • Impact of this vulnerability on data availability is NONE
Temporal 3.7 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
ZDI
Related Threats