Eaton Foreseer Reporting Software up to 1.5.99 Hierarchy Management Page cross site scripting

Summaryinfo

A vulnerability was found in Eaton Foreseer Reporting Software up to 1.5.99 and classified as critical. Affected by this issue is some unknown functionality of the component Hierarchy Management Page. Such manipulation leads to input validation. This vulnerability is referenced as CVE-2025-22491. The attack can only be performed from a local environment. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Eaton Foreseer Reporting Software up to 1.5.99. It has been rated as critical. Affected by this issue is an unknown code of the component Hierarchy Management Page. The manipulation with an unknown input leads to a input validation vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is confidentiality, integrity, and availability. CVE summarizes:

The user input was not sanitized on Reporting Hierarchy Management page of Foreseer Reporting Software (FRS) application which could lead into execution of arbitrary JavaScript in a browser context for all the interacting users. This security issue has been patched in the latest version 1.5.100 of the FRS.

The advisory is shared for download at eaton.com. This vulnerability is handled as CVE-2025-22491 since 01/07/2025. The exploitation is known to be easy. The attack needs to be approached locally. The exploitation requires an enhanced level of successful authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1059.007.

Upgrading to version 1.5.100 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Reporting Software

Vendor

• Eaton

Name

• Foreseer Reporting Software

Version

• 1.5.0
• 1.5.1
• 1.5.2
• 1.5.3
• 1.5.4
• 1.5.5
• 1.5.6
• 1.5.7
• 1.5.8
• 1.5.9
• 1.5.10
• 1.5.11
• 1.5.12
• 1.5.13
• 1.5.14
• 1.5.15
• 1.5.16
• 1.5.17
• 1.5.18
• 1.5.19
• 1.5.20
• 1.5.21
• 1.5.22
• 1.5.23
• 1.5.24
• 1.5.25
• 1.5.26
• 1.5.27
• 1.5.28
• 1.5.29
• 1.5.30
• 1.5.31
• 1.5.32
• 1.5.33
• 1.5.34
• 1.5.35
• 1.5.36
• 1.5.37
• 1.5.38
• 1.5.39
• 1.5.40
• 1.5.41
• 1.5.42
• 1.5.43
• 1.5.44
• 1.5.45
• 1.5.46
• 1.5.47
• 1.5.48
• 1.5.49
• 1.5.50
• 1.5.51
• 1.5.52
• 1.5.53
• 1.5.54
• 1.5.55
• 1.5.56
• 1.5.57
• 1.5.58
• 1.5.59
• 1.5.60
• 1.5.61
• 1.5.62
• 1.5.63
• 1.5.64
• 1.5.65
• 1.5.66
• 1.5.67
• 1.5.68
• 1.5.69
• 1.5.70
• 1.5.71
• 1.5.72
• 1.5.73
• 1.5.74
• 1.5.75
• 1.5.76
• 1.5.77
• 1.5.78
• 1.5.79
• 1.5.80
• 1.5.81
• 1.5.82
• 1.5.83
• 1.5.84
• 1.5.85
• 1.5.86
• 1.5.87
• 1.5.88
• 1.5.89
• 1.5.90
• 1.5.91
• 1.5.92
• 1.5.93
• 1.5.94
• 1.5.95
• 1.5.96
• 1.5.97
• 1.5.98
• 1.5.99

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion