VYPR
Get started

U.motion Builder

Sign in to watch

by Schneider Electric

CVEs (7)

CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2017-9957Cri0.649.80.00Sep 26, 2017A vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the web service contains a hidden system account with a hardcoded password. An attacker can use this information to log into the system with high-privilege credentials.
CVE-2017-7974Cri0.649.80.08Sep 26, 2017A path traversal information disclosure vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which an unauthenticated user can execute arbitrary code and exfiltrate files.
CVE-2017-7973Cri0.649.80.00Sep 26, 2017A SQL injection vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which an unauthenticated user can use calls to various paths allowing performance of arbitrary SQL commands against the underlying database.
CVE-2017-9958Hig0.517.80.00Sep 26, 2017An improper access control vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which an improper handling of the system configuration can allow an attacker to execute arbitrary code under the context of root.
CVE-2017-9956Hig0.477.30.00Sep 26, 2017An authentication bypass vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system contains a hard-coded valid session. An attacker can use that session ID as part of the HTTP cookie of a web request, resulting in authentication bypass
CVE-2017-9959Med0.365.50.00Sep 26, 2017A vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system accepts reboot in session from unauthenticated users, supporting a denial of service condition.
CVE-2017-9960Med0.345.30.00Sep 26, 2017An information disclosure vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system response to error provides more information than should be available to an unauthenticated user.