Background On the 4th August 2015, I discovered a cross-site scripting vulnerability in Schneider Electric’s PowerLogic 800 power meter, specifically in the embedded webserver on the PM8ECC add-on module. After a lengthy nine (9) month disclosure period, Schneider Electric formally thanked me and released a firmware patch to fix the vulnerability, under security advisory SEVD-2016-132-01. […]