PatchSiren cyber security CVE debrief

CVE-2022-45091 Group Arge Energy and Control Systems CVE debrief

CVE-2022-45091 is a reflected Cross-Site Scripting (XSS) vulnerability in Gruparge Smartpower Web, an energy management and control systems platform. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79). Affected versions are those prior to 23.01.01. The CVSS 3.1 score of 5.4 (Medium) reflects network attack vector, low attack complexity, required low privileges, and user interaction needed, with scope change and low impacts to confidentiality and integrity. The vulnerability was published in the CVE database on February 12, 2023, with subsequent modification on May 18, 2026. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The Turkish National Cyber Security Incident Response Team (USOM) issued advisory TR-23-0066 providing third-party guidance on this issue.

Vendor: Group Arge Energy and Control Systems
Product: Smartpower Web
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-02-12
Original CVE updated: 2026-05-18
Advisory published: 2023-02-12
Advisory updated: 2026-05-18

Who should care

Organizations operating Gruparge Smartpower Web energy management systems, particularly in critical infrastructure and industrial control environments. Security teams responsible for OT/ICS network protection, energy sector CISOs, and system integrators deploying Smartpower Web solutions should prioritize patching. Organizations subject to regulatory frameworks requiring XSS remediation in web-facing industrial applications.

Technical summary

The vulnerability exists in the web interface of Smartpower Web, where user-supplied input is not properly sanitized before being incorporated into generated web pages. This allows an attacker with low privileges to inject malicious scripts that execute in the context of another user's browser session. The attack requires user interaction (such as clicking a crafted link) and can result in session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The scope change (S:C) in the CVSS vector indicates the vulnerable component impacts resources beyond its security scope.

Defensive priority

medium

Recommended defensive actions

Upgrade Gruparge Smartpower Web to version 23.01.01 or later to remediate the XSS vulnerability
Implement Content Security Policy (CSP) headers to mitigate impact of potential XSS exploitation
Apply input validation and output encoding for all user-controllable data rendered in web responses
Review and sanitize all web application inputs that may be reflected in HTTP responses
Monitor for anomalous web requests containing script tags or encoded JavaScript payloads
Consult vendor security advisories and USOM guidance for additional hardening recommendations

Evidence notes

CVE description confirms XSS via improper input neutralization. NVD CPE criteria specifies affected product as gruparge:smartpower_web with versions before 23.01.01. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N supports the 5.4 score. CWE-79 is identified as the primary weakness by both NVD and USOM sources.

Official resources

CVE-2022-45091 CVE record
CVE.org
CVE-2022-45091 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory

The vulnerability was disclosed through official channels with publication to the CVE database on February 12, 2023. USOM published advisory TR-23-0066 as a third-party advisory source.