Filtered by vendor Schneider-electric
Subscribe
Total
732 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27976 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2023-12-10 | N/A | 8.8 HIGH |
| A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause remote code execution when a valid user visits a malicious link provided through the web endpoints. Affected Products: EcoStruxure Control Expert (V15.1 and above) | |||||
| CVE-2023-25550 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-12-10 | N/A | 9.8 CRITICAL |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows remote code execution via the “hostname” parameter when maliciously crafted hostname syntax is entered. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||||
| CVE-2023-37197 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-12-10 | N/A | 8.8 HIGH |
| A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the mass configuration settings of endpoints on DCE. | |||||
| CVE-2022-34755 | 1 Schneider-electric | 1 Easergy Builder Installer | 2023-12-10 | N/A | 6.7 MEDIUM |
| A CWE-427 - Uncontrolled Search Path Element vulnerability exists that could allow an attacker with a local privileged account to place a specially crafted file on the target machine, which may give the attacker the ability to execute arbitrary code during the installation process initiated by a valid user. Affected Products: Easergy Builder Installer (1.7.23 and prior) | |||||
| CVE-2023-25551 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-12-10 | N/A | 6.1 MEDIUM |
| A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||||
| CVE-2023-29412 | 2 Microsoft, Schneider-electric | 7 Windows 10, Windows 11, Windows Server 2016 and 4 more | 2023-12-10 | N/A | 9.8 CRITICAL |
| A CWE-78: Improper Handling of Case Sensitivity vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface. | |||||
| CVE-2023-29411 | 2 Microsoft, Schneider-electric | 7 Windows 10, Windows 11, Windows Server 2016 and 4 more | 2023-12-10 | N/A | 9.8 CRITICAL |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface. | |||||
| CVE-2023-25619 | 1 Schneider-electric | 14 Bmeh58s, Bmeh58s Firmware, Bmep58s and 11 more | 2023-12-10 | N/A | 7.5 HIGH |
| A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when communicating over the Modbus TCP protocol. | |||||
| CVE-2023-1049 | 1 Schneider-electric | 2 Ecostruxure Operator Terminal Expert, Pro-face Blue | 2023-12-10 | N/A | 7.8 HIGH |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI. | |||||
| CVE-2023-29413 | 2 Microsoft, Schneider-electric | 7 Windows 10, Windows 11, Windows Server 2016 and 4 more | 2023-12-10 | N/A | 7.5 HIGH |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service. | |||||
| CVE-2023-27983 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2023-12-10 | N/A | 5.3 MEDIUM |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface that could allow deletion of reports from the IGSS project report directory, this would lead to loss of data when an attacker abuses this functionality. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | |||||
| CVE-2023-25547 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-12-10 | N/A | 8.8 HIGH |
| A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||||
| CVE-2023-37199 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-12-10 | N/A | 7.2 HIGH |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. | |||||
| CVE-2023-1548 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2023-12-10 | N/A | 5.5 MEDIUM |
| A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to perform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products: EcoStruxure Control Expert (V15.1 and above) | |||||
| CVE-2023-27978 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2023-12-10 | N/A | 7.8 HIGH |
| A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | |||||
| CVE-2023-27982 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2023-12-10 | N/A | 8.8 HIGH |
| A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code execution when a victim eventually opens a malicious dashboard file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | |||||
| CVE-2023-25620 | 1 Schneider-electric | 16 140cpu65, 140cpu65 Firmware, Bmeh58s and 13 more | 2023-12-10 | N/A | 6.5 MEDIUM |
| A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when a malicious project file is loaded onto the controller by an authenticated user. | |||||
| CVE-2023-29410 | 1 Schneider-electric | 6 Conext Gateway, Conext Gateway Firmware, Insightfacility and 3 more | 2023-12-10 | N/A | 8.8 HIGH |
| A CWE-20: Improper Input Validation vulnerability exists that could allow an authenticated attacker to gain the same privilege as the application on the server when a malicious payload is provided over HTTP for the server to execute. | |||||
| CVE-2023-25549 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-12-10 | N/A | 9.8 CRITICAL |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||||
| CVE-2023-25556 | 1 Schneider-electric | 14 Merten Instabus Tastermodul 1fach System M, Merten Instabus Tastermodul 1fach System M Firmware, Merten Instabus Tastermodul 2fach System M and 11 more | 2023-12-10 | N/A | 8.8 HIGH |
| A CWE-287: Improper Authentication vulnerability exists that could allow a device to be compromised when a key of less than seven digits is entered and the attacker has access to the KNX installation. | |||||