Cross-Site Scripting Vulnerability in Spectrum Power 4

An attacker could inject malicious code into the web-based Online Help that would run in the browser of operators or engineers, allowing the attacker to steal session credentials or manipulate displayed information that operators rely on for control decisions.

Electric utility operators and engineers at power generation and distribution facilities who use Spectrum Power 4 for monitoring and control. Anyone with browser access to the Spectrum Power 4 web interface, particularly those who consult Online Help documentation during operations.

An attacker would craft a malicious link or embed XSS payload in the Online Help feature of Spectrum Power 4. When an operator clicks the link or accesses the help page, the injected code runs in their browser without authentication, potentially capturing their session token or tricking them into providing credentials.