PatchSiren

PatchSiren cyber security CVE debrief

CVE-2022-45087 Gruparge CVE debrief

A stored or reflected Cross-Site Scripting (XSS) vulnerability exists in Gruparge Smartpower Web, an energy and control systems management platform, affecting versions prior to 23.01.01. The flaw stems from improper neutralization of user-supplied input during web page generation (CWE-79), allowing attackers to inject malicious scripts that execute in victims' browsers. With a CVSS 3.1 score of 6.1 (Medium), the vulnerability requires user interaction and network access but can compromise session integrity and enable unauthorized actions within the application context. The Turkish National Cyber Security Incident Response Team (USOM) published advisory TR-23-0066 on February 12, 2023, coinciding with initial CVE publication. The NVD record was subsequently modified on May 18, 2026, indicating ongoing curation of reference data. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Vendor
Gruparge
Product
Smartpower Web
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2023-02-12
Original CVE updated
2026-05-18
Advisory published
2023-02-12
Advisory updated
2026-05-18

Who should care

Organizations operating Gruparge Smartpower Web for energy management and industrial control; security teams responsible for OT/ICS web application security; Turkish critical infrastructure operators subject to USOM advisories; energy sector CISOs managing third-party vendor risk in control system software.

Technical summary

The vulnerability resides in Smartpower Web's handling of user input during dynamic page generation. Insufficient output encoding allows attacker-controlled data to be rendered as executable script in browser contexts. The CVSS 3.1 attack vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network exploitable, low complexity attacks requiring user interaction, with scope change to impacted component. Successful exploitation could enable session hijacking, credential theft, or unauthorized administrative actions within the Smartpower Web application. The fix in version 23.01.01 implements proper input validation and output encoding neutralization.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Gruparge Smartpower Web to version 23.01.01 or later to remediate the XSS vulnerability.
  • Implement Content Security Policy (CSP) headers to mitigate impact of any residual or unpatched XSS vectors.
  • Validate and sanitize all user-supplied input at both client and server layers, encoding output appropriately for HTML context.
  • Review application logs for suspicious script injection patterns or unexpected HTML/JavaScript content in request parameters.
  • If immediate patching is not feasible, consider deploying web application firewall (WAF) rules to detect and block common XSS payloads targeting Smartpower Web endpoints.

Evidence notes

CVE published 2023-02-12; NVD modified 2026-05-18. Advisory TR-23-0066 issued by USOM (Turkish National Cyber Security Incident Response Team). Affected product confirmed via NVD CPE: cpe:2.3:a:gruparge:smartpower_web:*:*:*:*:*:*:*:*, vulnerable versions before 23.01.01. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Official resources

2023-02-12