CVE-2013-0663 - Vulnerability Details

Cross-site request forgery (CSRF) vulnerability on the Schneider Electric Quantum 140NOE77111, 140NOE77101, and 140NWM10000; M340 BMXNOC0401, BMXNOE0100x, and BMXNOE011xx; and Premium TSXETY4103, TSXETY5103, and TSXWMY100 PLC modules allows remote attackers to hijack the authentication of arbitrary users for requests that execute commands, as demonstrated by modifying HTTP credentials.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Modicon M340 Modicon Premium Modicon Quantum Plc

Configuration 1 [-]

OR	cpe:2.3:h:schneider-electric:modicon_quantum_plc:140noe77101:::::::*
	cpe:2.3:h:schneider-electric:modicon_quantum_plc:140noe77111:::::::*
	cpe:2.3:h:schneider-electric:modicon_quantum_plc:140nwm10000:::::::*

Configuration 2 [-]

OR	cpe:2.3:h:schneider-electric:modicon_m340:bmxnoc0401:::::::*
	cpe:2.3:h:schneider-electric:modicon_m340:bmxnoe011xx:::::::*
	cpe:2.3:h:schneider-electric:modicon_m340:bmxnoe0100x:::::::*

Configuration 3 [-]

OR	cpe:2.3:h:schneider-electric:modicon_premium:tsxety4103:::::::*
	cpe:2.3:h:schneider-electric:modicon_premium:tsxety5103:::::::*
	cpe:2.3:h:schneider-electric:modicon_premium:tsxwmy100:::::::*

No data.

References

Link	Providers
http://ics-cert.us-cert.gov/pdf/ICSA-13-077-01A.pdf
http://www.schneider-electric.com/download/ww/en/details/35081317-Vulnerability-Disclosure-for-Quantum-Premium-and-M340/
http://www.schneider-electric.com/download/ww/en/file/36555639-SEVD-2013-023-01.pdf/?fileName=SEVD-2013-023-01.pdf&reference=SEVD-2013-023-01&docType=Technical-paper
https://www.exploit-db.com/exploits/44678/

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2013-04-04T10:00:00

Updated: 2024-08-06T14:33:05.456Z

Reserved: 2012-12-19T00:00:00

Link: CVE-2013-0663

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2013-04-04T11:58:48.687

Modified: 2025-04-11T00:51:21.963

Link: CVE-2013-0663

Redhat

No data.

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object