CVE-2017-5157 Schneider Electric CVE debrief

Who should care

Administrators, integrators, and operators responsible for Schneider Electric homeLYnk Controller LSS100100 deployments, especially any environment where users interact with the device through a browser-based interface or exposed management functions.

Technical summary

The official record describes a client-side injection weakness in the homeLYnk Controller LSS100100 web-facing input handling. The CVE states that manipulated user input can lead to JavaScript execution, and NVD maps the weakness to CWE-79. The CVE description says affected versions are all releases prior to V1.5.0; the NVD record also associates the issue with the homeLYnk Controller LSS100100 firmware CPE.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Schneider Electric homeLYnk Controller LSS100100 firmware to V1.5.0 or later.
• Review any browser-accessible fields or parameters on the controller for unsafe input handling.
• Restrict access to the management interface to trusted administrative networks where possible.
• Apply browser-side and server-side output encoding/escaping controls in any custom integrations that render controller-supplied data.
• Validate that remediation is present across all deployed units and not just a single test device.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus and the linked official references. The CVE was published on 2017-02-13. The NVD record lists CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and CWE-79. The record’s references include the ICS-CERT advisory ICSA-17-019-01 and SecurityFocus BID 95665. The 2026-05-13 modified timestamp reflects record maintenance, not the original vulnerability date.

Official resources