You are here

AVEVA InTouch Access Anywhere (ICSA-18-212-04) – Products Used in the Water and Wastewater and Energy Sectors

AVEVA InTouch Access Anywhere (ICSA-18-212-04) – Products Used in the Water and Wastewater and Energy Sectors

Created: Wednesday, August 1, 2018 - 13:14
Categories:
Cybersecurity

The NCCIC has released an advisory regarding a cross-site scripting (XSS) vulnerability in AVEVA InTouch Access Anywhere remote access software. The vulnerability affects AVEVA InTouch Access Anywhere, 2017 Update 2 and prior that use vulnerable jQuery libraries prior to version 3.0.0. Successful exploitation of this vulnerability may allow attackers to obtain sensitive information and/or execute Javascript or HTML code due to improper neutralization of input during web page generation. Currently there are no known public exploits; however, this vulnerability is remotely exploitable, and could be successfully exploited by an attacker with a low skill level. AVEVA has published Security Bulletin LFSEC00000126, and recommends users install update “InTouch Access Anywhere 2017 Update 2b” or later. The NCCIC also recommends a series of defensive measures to minimize the risk of exploitation of this vulnerability. NCCIC/ICS-CERT.