CVE-2024-8401

MEDIUM

Schneider Electric EcoStruxure Power Monitoring Expert (PME) 2021 < 2021 CU1 - Stored XSS via Folder Name

Title source: llm
STIX 2.1

Description

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an authenticated attacker modifies folder names within the context of the product.

Scores

CVSS v3 5.4
EPSS 0.0029
EPSS Percentile 20.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (7)
Schneider Electric/EcoStruxure Power Monitoring Expert (PME) 2020 2020 CU3 and prior
Schneider Electric/EcoStruxure Power Monitoring Expert (PME) 2021 2021 CU1 and prior
Schneider Electric/EcoStruxure Power Operation (EPO) 2021 CU4 and prior
Schneider Electric/EcoStruxure Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Module CU3 with Hotfix 2 and prior
Schneider Electric/EcoStruxure Power Operation (EPO) 2022 CU4 and prior
Schneider Electric/EcoStruxure Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module CU4 and prior
Schneider Electric/EcoStruxure Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module All Versions
Published Jan 28, 2025
Tracked Since Feb 18, 2026