Vendor CVEs
Aveva
All CVEs
57 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-10628 | Cri | 0.64 | 9.8 | 0.05 | Jul 24, 2018 | AVEVA InTouch 2014 R2 SP1 and prior, InTouch 2017, InTouch 2017 Update 1, and InTouch 2017 Update 2 allow an unauthenticated user to send a specially crafted packet that could overflow the buffer on a locale not using a dot floating point separator. Exploitation could allow… | ||
| CVE-2018-10620 | Cri | 0.64 | 9.8 | 0.04 | Jul 19, 2018 | AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with… | ||
| CVE-2017-5158 | Cri | 0.64 | 9.8 | 0.02 | Apr 20, 2017 | An Information Exposure issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. Credentials may be exposed to external systems via specific URL parameters, as arbitrary destination addresses may be specified. | ||
| CVE-2017-5156 | Hig | 0.57 | 8.8 | 0.01 | Apr 20, 2017 | A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external site to access internal RDP systems on behalf of the… | ||
| CVE-2007-6033 | Hig | 0.57 | 8.8 | 0.03 | Nov 20, 2007 | Invensys Wonderware InTouch 8.0 creates a NetDDE share with insecure permissions (Everyone/Full Control), which allows remote authenticated attackers, and possibly anonymous users, to execute arbitrary programs. | ||
| CVE-2026-30290 | Hig | 0.55 | 8.4 | 0.00 | Mar 31, 2026 | An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure. | ||
| CVE-2024-6456 | Hig | 0.55 | — | 0.00 | Aug 15, 2024 | AVEVA Historian Server has a vulnerability, if exploited, could allow a malicious SQL command to execute under the privileges of an interactive Historian REST Interface user who had been socially engineered by a miscreant into opening a specially crafted URL. | ||
| CVE-2024-3468 | Hig | 0.55 | — | 0.00 | Jun 12, 2024 | There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker. | ||
| CVE-2017-9962 | Hig | 0.49 | 7.5 | 0.01 | Sep 26, 2017 | Schneider Electric's ClearSCADA versions released prior to August 2017 are susceptible to a memory allocation vulnerability, whereby malformed requests can be sent to ClearSCADA client applications to cause unexpected behavior. Client applications affected include ViewX and the… | ||
| CVE-2025-4417 | Med | 0.36 | 5.5 | 0.00 | Jun 12, 2025 | A cross-site scripting vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector admin portal to persist arbitrary JavaScript code that will be executed by… | ||
| CVE-2017-5160 | Med | 0.34 | 5.3 | 0.01 | Apr 20, 2017 | An Inadequate Encryption Strength issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The software will connect via Transport Layer Security without verifying the peer's SSL certificate properly. | ||
| CVE-2025-4418 | Med | 0.29 | 4.4 | 0.00 | Jun 12, 2025 | An improper validation of integrity check value vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow a miscreant with elevated privileges to modify PI Connector for CygNet local data files (cache and buffers) in a… | ||
| CVE-2022-23854 | 0.10 | — | 0.46 | Dec 23, 2022 | AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server. | |||
| CVE-2019-6543 | 0.06 | — | 0.17 | Feb 13, 2019 | AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine. | |||
| CVE-2019-6545 | 0.04 | — | 0.14 | Feb 13, 2019 | AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary… | |||
| CVE-2008-2005 | 0.04 | — | 0.16 | May 6, 2008 | The SuiteLink Service (aka slssvc.exe) in WonderWare SuiteLink before 2.0 Patch 01, as used in WonderWare InTouch 8.0, allows remote attackers to cause a denial of service (NULL pointer dereference and service shutdown) and possibly execute arbitrary code via a large length… | |||
| CVE-2006-0088 | 0.03 | — | 0.01 | Jan 5, 2006 | SQL injection vulnerability in intouch.lib.php in inTouch 0.5.1 Alpha allows remote attackers to execute arbitrary SQL commands via the user parameter. | |||
| CVE-2018-17916 | 0.01 | — | 0.04 | Nov 2, 2018 | InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2. A remote attacker could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related… | |||
| CVE-2024-3467 | 0.00 | — | 0.00 | Jun 12, 2024 | There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker. | |||
| CVE-2023-6132 | 0.00 | — | 0.00 | Feb 29, 2024 | The vulnerability, if exploited, could allow a malicious entity with access to the file system to achieve arbitrary code execution and privilege escalation by tricking AVEVA Edge to load an unsafe DLL. | |||
| CVE-2023-34982 | 0.00 | — | 0.00 | Nov 15, 2023 | This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System privilege on the machine where these products are installed, resulting in denial of service. | |||
| CVE-2023-33873 | 0.00 | — | 0.00 | Nov 15, 2023 | This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standard privileges to escalate to System privilege on the machine where these products are installed, resulting in complete compromise of the target machine. | |||
| CVE-2022-36969 | 0.00 | — | 0.14 | Mar 29, 2023 | This vulnerability allows remote attackers to disclose sensitive information on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a… | |||
| CVE-2022-28687 | 0.00 | — | 0.01 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.… | |||
| CVE-2023-1256 | 0.00 | — | 0.01 | Mar 16, 2023 | The listed versions of AVEVA Plant SCADA and AVEVA Telemetry Server are vulnerable to an improper authorization exploit which could allow an unauthenticated user to remotely read data, cause denial of service, and tamper with alarm states. | |||
| CVE-2023-0595 | 0.00 | — | 0.00 | Feb 24, 2023 | A CWE-117: Improper Output Neutralization for Logs vulnerability exists that could cause the misinterpretation of log files when malicious packets are sent to the Geo SCADA server's database web port (default 443). Affected products: EcoStruxure Geo SCADA Expert 2019,… | |||
| CVE-2021-38410 | 0.00 | — | 0.00 | Jul 27, 2022 | AVEVA Software Platform Common Services (PCS) Portal versions 4.5.2, 4.5.1, 4.5.0, and 4.4.6 are vulnerable to DLL hijacking through an uncontrolled search path element, which may allow an attacker control to one or more locations in the search path. | |||
| CVE-2022-1467 | 0.00 | — | 0.01 | May 23, 2022 | Windows OS can be configured to overlay a “language bar” on top of any application. When this OS functionality is enabled, the OS language bar UI will be viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications. It is… | |||
| CVE-2022-24321 | 0.00 | — | 0.01 | Feb 9, 2022 | A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause Denial of Service against the Geo SCADA server when receiving a malformed HTTP request. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All… | |||
| CVE-2022-24320 | 0.00 | — | 0.01 | Feb 9, 2022 | A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All… | |||
| CVE-2022-24319 | 0.00 | — | 0.01 | Feb 9, 2022 | A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA web server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All… | |||
| CVE-2022-24318 | 0.00 | — | 0.00 | Feb 9, 2022 | A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions),… | |||
| CVE-2021-32987 | 0.00 | — | 0.01 | Sep 23, 2021 | Null pointer dereference in SuiteLink server while processing command 0x0b | |||
| CVE-2021-32999 | 0.00 | — | 0.01 | Sep 23, 2021 | Improper handling of exceptional conditions in SuiteLink server while processing command 0x01 | |||
| CVE-2021-32979 | 0.00 | — | 0.01 | Sep 23, 2021 | Null pointer dereference in SuiteLink server while processing commands 0x04/0x0a | |||
| CVE-2021-32971 | 0.00 | — | 0.01 | Sep 23, 2021 | Null pointer dereference in SuiteLink server while processing command 0x07 | |||
| CVE-2021-32959 | 0.00 | — | 0.01 | Sep 23, 2021 | Heap-based buffer overflow in SuiteLink server while processing commands 0x05/0x06 | |||
| CVE-2021-32963 | 0.00 | — | 0.01 | Sep 23, 2021 | Null pointer dereference in SuiteLink server while processing commands 0x03/0x10 | |||
| CVE-2021-32942 | 0.00 | — | 0.00 | Jun 9, 2021 | The vulnerability could expose cleartext credentials from AVEVA InTouch Runtime 2020 R2 and all prior versions (WindowViewer) if an authorized, privileged user creates a diagnostic memory dump of the process and saves it to a non-protected location. | |||
| CVE-2021-22741 | 0.00 | — | 0.00 | May 26, 2021 | Use of Password Hash with Insufficient Computational Effort vulnerability exists in ClearSCADA (all versions), EcoStruxure Geo SCADA Expert 2019 (all versions), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior), which could cause the revealing of account credentials… | |||
| CVE-2019-13537 | 0.00 | — | 0.01 | Jan 14, 2020 | The IEC870IP driver for AVEVA’s Vijeo Citect and Citect SCADA and Schneider Electric’s Power SCADA Operation has a buffer overflow vulnerability that could result in a server-side crash. | |||
| CVE-2019-10981 | 0.00 | — | 0.00 | May 31, 2019 | In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a vulnerability has been identified that may allow an authenticated local user access to Citect user credentials. | |||
| CVE-2015-1009 | 0.00 | — | 0.00 | Aug 1, 2015 | Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file. | |||
| CVE-2015-0999 | 0.00 | — | 0.00 | Mar 29, 2015 | Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 store cleartext OPC User credentials in a configuration file, which allows local users to obtain sensitive information by reading this file. | |||
| CVE-2015-0998 | 0.00 | — | 0.01 | Mar 29, 2015 | Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 transmit cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. | |||
| CVE-2015-0997 | 0.00 | — | 0.02 | Mar 29, 2015 | Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 provide an HMI user interface that lists all valid usernames, which makes it easier for remote attackers to obtain access via a brute-force… | |||
| CVE-2015-0996 | 0.00 | — | 0.00 | Mar 29, 2015 | Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to… | |||
| CVE-2014-5413 | 0.00 | — | 0.01 | Sep 18, 2014 | Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 uses the MD5 algorithm for an X.509 certificate, which makes it easier for remote attackers to spoof servers via a cryptographic attack against this algorithm. | |||
| CVE-2014-5412 | 0.00 | — | 0.02 | Sep 18, 2014 | Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account. | |||
| CVE-2014-5411 | 0.00 | — | 0.01 | Sep 18, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
- risk 0.64cvss 9.8epss 0.05
AVEVA InTouch 2014 R2 SP1 and prior, InTouch 2017, InTouch 2017 Update 1, and InTouch 2017 Update 2 allow an unauthenticated user to send a specially crafted packet that could overflow the buffer on a locale not using a dot floating point separator. Exploitation could allow…
- risk 0.64cvss 9.8epss 0.04
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with…
- risk 0.64cvss 9.8epss 0.02
An Information Exposure issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. Credentials may be exposed to external systems via specific URL parameters, as arbitrary destination addresses may be specified.
- risk 0.57cvss 8.8epss 0.01
A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external site to access internal RDP systems on behalf of the…
- risk 0.57cvss 8.8epss 0.03
Invensys Wonderware InTouch 8.0 creates a NetDDE share with insecure permissions (Everyone/Full Control), which allows remote authenticated attackers, and possibly anonymous users, to execute arbitrary programs.
- risk 0.55cvss 8.4epss 0.00
An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
- risk 0.55cvss —epss 0.00
AVEVA Historian Server has a vulnerability, if exploited, could allow a malicious SQL command to execute under the privileges of an interactive Historian REST Interface user who had been socially engineered by a miscreant into opening a specially crafted URL.
- risk 0.55cvss —epss 0.00
There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker.
- risk 0.49cvss 7.5epss 0.01
Schneider Electric's ClearSCADA versions released prior to August 2017 are susceptible to a memory allocation vulnerability, whereby malformed requests can be sent to ClearSCADA client applications to cause unexpected behavior. Client applications affected include ViewX and the…
- risk 0.36cvss 5.5epss 0.00
A cross-site scripting vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector admin portal to persist arbitrary JavaScript code that will be executed by…
- risk 0.34cvss 5.3epss 0.01
An Inadequate Encryption Strength issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The software will connect via Transport Layer Security without verifying the peer's SSL certificate properly.
- risk 0.29cvss 4.4epss 0.00
An improper validation of integrity check value vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow a miscreant with elevated privileges to modify PI Connector for CygNet local data files (cache and buffers) in a…
- CVE-2022-23854Dec 23, 2022risk 0.10cvss —epss 0.46
AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server.
- CVE-2019-6543Feb 13, 2019risk 0.06cvss —epss 0.17
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine.
- CVE-2019-6545Feb 13, 2019risk 0.04cvss —epss 0.14
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary…
- CVE-2008-2005May 6, 2008risk 0.04cvss —epss 0.16
The SuiteLink Service (aka slssvc.exe) in WonderWare SuiteLink before 2.0 Patch 01, as used in WonderWare InTouch 8.0, allows remote attackers to cause a denial of service (NULL pointer dereference and service shutdown) and possibly execute arbitrary code via a large length…
- CVE-2006-0088Jan 5, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in intouch.lib.php in inTouch 0.5.1 Alpha allows remote attackers to execute arbitrary SQL commands via the user parameter.
- CVE-2018-17916Nov 2, 2018risk 0.01cvss —epss 0.04
InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2. A remote attacker could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related…
- CVE-2024-3467Jun 12, 2024risk 0.00cvss —epss 0.00
There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.
- CVE-2023-6132Feb 29, 2024risk 0.00cvss —epss 0.00
The vulnerability, if exploited, could allow a malicious entity with access to the file system to achieve arbitrary code execution and privilege escalation by tricking AVEVA Edge to load an unsafe DLL.
- CVE-2023-34982Nov 15, 2023risk 0.00cvss —epss 0.00
This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System privilege on the machine where these products are installed, resulting in denial of service.
- CVE-2023-33873Nov 15, 2023risk 0.00cvss —epss 0.00
This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standard privileges to escalate to System privilege on the machine where these products are installed, resulting in complete compromise of the target machine.
- CVE-2022-36969Mar 29, 2023risk 0.00cvss —epss 0.14
This vulnerability allows remote attackers to disclose sensitive information on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a…
- CVE-2022-28687Mar 29, 2023risk 0.00cvss —epss 0.01
This vulnerability allows remote attackers to execute arbitrary code on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.…
- CVE-2023-1256Mar 16, 2023risk 0.00cvss —epss 0.01
The listed versions of AVEVA Plant SCADA and AVEVA Telemetry Server are vulnerable to an improper authorization exploit which could allow an unauthenticated user to remotely read data, cause denial of service, and tamper with alarm states.
- CVE-2023-0595Feb 24, 2023risk 0.00cvss —epss 0.00
A CWE-117: Improper Output Neutralization for Logs vulnerability exists that could cause the misinterpretation of log files when malicious packets are sent to the Geo SCADA server's database web port (default 443). Affected products: EcoStruxure Geo SCADA Expert 2019,…
- CVE-2021-38410Jul 27, 2022risk 0.00cvss —epss 0.00
AVEVA Software Platform Common Services (PCS) Portal versions 4.5.2, 4.5.1, 4.5.0, and 4.4.6 are vulnerable to DLL hijacking through an uncontrolled search path element, which may allow an attacker control to one or more locations in the search path.
- CVE-2022-1467May 23, 2022risk 0.00cvss —epss 0.01
Windows OS can be configured to overlay a “language bar” on top of any application. When this OS functionality is enabled, the OS language bar UI will be viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications. It is…
- CVE-2022-24321Feb 9, 2022risk 0.00cvss —epss 0.01
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause Denial of Service against the Geo SCADA server when receiving a malformed HTTP request. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All…
- CVE-2022-24320Feb 9, 2022risk 0.00cvss —epss 0.01
A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All…
- CVE-2022-24319Feb 9, 2022risk 0.00cvss —epss 0.01
A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA web server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All…
- CVE-2022-24318Feb 9, 2022risk 0.00cvss —epss 0.00
A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions),…
- CVE-2021-32987Sep 23, 2021risk 0.00cvss —epss 0.01
Null pointer dereference in SuiteLink server while processing command 0x0b
- CVE-2021-32999Sep 23, 2021risk 0.00cvss —epss 0.01
Improper handling of exceptional conditions in SuiteLink server while processing command 0x01
- CVE-2021-32979Sep 23, 2021risk 0.00cvss —epss 0.01
Null pointer dereference in SuiteLink server while processing commands 0x04/0x0a
- CVE-2021-32971Sep 23, 2021risk 0.00cvss —epss 0.01
Null pointer dereference in SuiteLink server while processing command 0x07
- CVE-2021-32959Sep 23, 2021risk 0.00cvss —epss 0.01
Heap-based buffer overflow in SuiteLink server while processing commands 0x05/0x06
- CVE-2021-32963Sep 23, 2021risk 0.00cvss —epss 0.01
Null pointer dereference in SuiteLink server while processing commands 0x03/0x10
- CVE-2021-32942Jun 9, 2021risk 0.00cvss —epss 0.00
The vulnerability could expose cleartext credentials from AVEVA InTouch Runtime 2020 R2 and all prior versions (WindowViewer) if an authorized, privileged user creates a diagnostic memory dump of the process and saves it to a non-protected location.
- CVE-2021-22741May 26, 2021risk 0.00cvss —epss 0.00
Use of Password Hash with Insufficient Computational Effort vulnerability exists in ClearSCADA (all versions), EcoStruxure Geo SCADA Expert 2019 (all versions), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior), which could cause the revealing of account credentials…
- CVE-2019-13537Jan 14, 2020risk 0.00cvss —epss 0.01
The IEC870IP driver for AVEVA’s Vijeo Citect and Citect SCADA and Schneider Electric’s Power SCADA Operation has a buffer overflow vulnerability that could result in a server-side crash.
- CVE-2019-10981May 31, 2019risk 0.00cvss —epss 0.00
In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a vulnerability has been identified that may allow an authenticated local user access to Citect user credentials.
- CVE-2015-1009Aug 1, 2015risk 0.00cvss —epss 0.00
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.
- CVE-2015-0999Mar 29, 2015risk 0.00cvss —epss 0.00
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 store cleartext OPC User credentials in a configuration file, which allows local users to obtain sensitive information by reading this file.
- CVE-2015-0998Mar 29, 2015risk 0.00cvss —epss 0.01
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 transmit cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network.
- CVE-2015-0997Mar 29, 2015risk 0.00cvss —epss 0.02
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 provide an HMI user interface that lists all valid usernames, which makes it easier for remote attackers to obtain access via a brute-force…
- CVE-2015-0996Mar 29, 2015risk 0.00cvss —epss 0.00
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to…
- CVE-2014-5413Sep 18, 2014risk 0.00cvss —epss 0.01
Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 uses the MD5 algorithm for an X.509 certificate, which makes it easier for remote attackers to spoof servers via a cryptographic attack against this algorithm.
- CVE-2014-5412Sep 18, 2014risk 0.00cvss —epss 0.02
Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account.
- CVE-2014-5411Sep 18, 2014risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Page 1 of 2