WebApp OpenRedirect CVE-2023-5986: URL Redirection to Untrusted Site
CVE-2023-5986 Published on November 15, 2023

A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the softwares web application to redirect to the chosen domain after a successful login is performed.

NVD

Vulnerability Analysis

CVE-2023-5986 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

What is an Open Redirect Vulnerability?

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

CVE-2023-5986 has been classified to as an Open Redirect vulnerability or weakness.

Products Associated with CVE-2023-5986

Want to know whenever a new CVE is published for Schneider Electric Ecostruxure Power Monitoring Expert? stack.watch will email you.

Schneider Electric Ecostruxure Power Monitoring Expert

Affected Versions

Schneider Electric EcoStruxure Power Monitoring Expert (PME):

Version Version 2020 CU2 and prior is affected.
Version Version 2021 CU1 and prior is affected.

Schneider Electric EcoStruxure Power Operation (EPO) – Advanced Reporting and Dashboards Module:

Version Advanced Reporting and Dashboards Module 2021 prior to CU2 for EcoStruxure Power Operation 2021 is affected.
Version Advanced Reporting and Dashboards Module 2020 prior to CU3 is affected.

Schneider Electric EcoStruxure Power SCADA Operation (PSO) - Advanced Reporting and Dashboards Module:

Version EcoStruxure Power SCADA Operation (PSO) 2020 or 2020 R2 is affected.

Exploit Probability

EPSS

0.17%

Percentile

38.75%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.