PN1631 | PowerMonitor™ 1000 – Cross-Site Scripting Vulnerability

Affected Product (automated)	First Known in Software Revision	Corrected in Software Revision
PowerMonitor™ 1000	V4.011	V4.019

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2072 IMPACT
The PowerMonitor 1000 contains stored cross site scripting vulnerabilities within the web page of the product.  The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.

CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Customers using the affected software are encouraged to apply the risk mitigation below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.

• Upgrade to V4.019 which has been patched to mitigate these issues.
• Additionally, we encourage the customer to implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.

Additional Resources

• CVE-2023-2072 JSON