Certec EDV GmbH atvise scada Cross Site Scripting and HTTP Header Injection Vulnerabilities



Certec EDV GmbH atvise scada is prone to a cross-site scripting vulnerability and an HTTP header-injection vulnerability.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks and to insert a crafted HTTP header into an HTTP response that could cause web server cache poisoning. These issues may aid in further attacks.

Versions prior to atvise 3.1 are vulnerable.

Information

Bugtraq ID: 97479
Class: Input Validation Error
CVE: CVE-2017-6031
CVE-2017-6029

Remote: Yes
Local: No
Published: Apr 06 2017 12:00AM
Credit: Sebastian Neef of Internetwache.org
Vulnerable: Certec EDV GmbH atvise 3.0


Not Vulnerable: Certec EDV GmbH atvise 3.1


Exploit


An attacker can exploit these issues by enticing an unsuspecting user into visiting a specially crafted URL.


Related Posts

Comments