Vendor CVEs
Schneider Electric
All CVEs
722 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-27975 | 0.00 | — | 0.00 | Feb 14, 2024 | CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation. | |||
| CVE-2023-6408 | 0.00 | — | 0.00 | Feb 14, 2024 | CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause a denial of service and loss of confidentiality, integrity of controllers when conducting a Man in the Middle attack. | |||
| CVE-2023-6409 | 0.00 | — | 0.00 | Feb 14, 2024 | CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert. | |||
| CVE-2023-6407 | 0.00 | — | 0.00 | Dec 14, 2023 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker. | |||
| CVE-2023-6032 | 0.00 | — | 0.01 | Nov 15, 2023 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause a file system enumeration and file download when an attacker navigates to the Network Management Card via HTTPS. | |||
| CVE-2023-5987 | 0.00 | — | 0.00 | Nov 15, 2023 | A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page… | |||
| CVE-2023-5986 | 0.00 | — | 0.00 | Nov 15, 2023 | A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the software’s web application to redirect to the chosen domain after… | |||
| CVE-2023-5985 | 0.00 | — | 0.00 | Nov 15, 2023 | A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability exists that could cause compromise of a user’s browser when an attacker with admin privileges has modified system values. | |||
| CVE-2023-5984 | 0.00 | — | 0.00 | Nov 15, 2023 | A CWE-494 Download of Code Without Integrity Check vulnerability exists that could allow modified firmware to be uploaded when an authorized admin user begins a firmware update procedure which could result in full control over the device. | |||
| CVE-2023-5391 | 0.00 | — | 0.01 | Oct 4, 2023 | A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application. | |||
| CVE-2023-5402 | 0.00 | — | 0.01 | Oct 4, 2023 | A CWE-269: Improper Privilege Management vulnerability exists that could cause a remote code execution when the transfer command is used over the network. | |||
| CVE-2023-29414 | 0.00 | — | 0.00 | Jul 12, 2023 | A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability exists that could cause user privilege escalation if a local user sends specific string input to a local function call. | |||
| CVE-2023-37199 | 0.00 | — | 0.01 | Jul 12, 2023 | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. | |||
| CVE-2023-37198 | 0.00 | — | 0.01 | Jul 12, 2023 | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages. | |||
| CVE-2023-37197 | 0.00 | — | 0.01 | Jul 12, 2023 | A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions… | |||
| CVE-2023-37196 | 0.00 | — | 0.01 | Jul 12, 2023 | A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when… | |||
| CVE-2023-2570 | 0.00 | — | 0.00 | Jun 14, 2023 | A CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an unpredictable index to an IOCTL call in the Foxboro.sys… | |||
| CVE-2023-2569 | 0.00 | — | 0.00 | Jun 14, 2023 | A CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, elevation of privilege, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver. | |||
| CVE-2023-3001 | 0.00 | — | 0.32 | Jun 14, 2023 | A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file. | |||
| CVE-2023-1049 | 0.00 | — | 0.01 | Jun 14, 2023 | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI. | |||
| CVE-2023-1711 | 0.00 | — | 0.00 | May 30, 2023 | A vulnerability exists in a FOXMAN-UN and UNEM logging component, it only affects systems that use remote authentication to the network elements. If exploited an attacker could obtain confidential information. List of CPEs: * cpe:2.3:a:hitachienergy:foxman_un:R9C:*:*:*:*:*… | |||
| CVE-2022-46680 | 0.00 | — | 0.00 | May 22, 2023 | A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic. | |||
| CVE-2023-2161 | 0.00 | — | 0.00 | May 16, 2023 | A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. | |||
| CVE-2023-25620 | 0.00 | — | 0.01 | Apr 19, 2023 | A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when a malicious project file is loaded onto the controller by an authenticated user. | |||
| CVE-2023-25619 | 0.00 | — | 0.01 | Apr 19, 2023 | A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when communicating over the Modbus TCP protocol. | |||
| CVE-2023-29413 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service. | |||
| CVE-2023-29412 | 0.00 | — | 0.01 | Apr 18, 2023 | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface. | |||
| CVE-2023-28003 | 0.00 | — | 0.00 | Apr 18, 2023 | A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account. | |||
| CVE-2023-25555 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. … | |||
| CVE-2023-25553 | 0.00 | — | 0.00 | Apr 18, 2023 | A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and… | |||
| CVE-2023-25551 | 0.00 | — | 0.00 | Apr 18, 2023 | A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and… | |||
| CVE-2023-25550 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows remote code execution via the “hostname” parameter when maliciously crafted hostname syntax is entered. Affected products: StruxureWare Data Center… | |||
| CVE-2023-25549 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||
| CVE-2023-25554 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected… | |||
| CVE-2023-25552 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. Affected products:… | |||
| CVE-2023-25548 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||
| CVE-2023-25547 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||
| CVE-2022-43378 | 0.00 | — | 0.00 | Apr 18, 2023 | A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause the user to be tricked into performing unintended actions when external address frames are not properly restricted. Affected Products: NetBotz 4 -… | |||
| CVE-2022-43377 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover when a brute force attack is performed on the account. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | |||
| CVE-2022-43376 | 0.00 | — | 0.00 | Apr 18, 2023 | A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause code and session manipulation when malicious code is inserted into the browser. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 … | |||
| CVE-2022-34755 | 0.00 | — | 0.00 | Apr 18, 2023 | A CWE-427 - Uncontrolled Search Path Element vulnerability exists that could allow an attacker with a local privileged account to place a specially crafted file on the target machine, which may give the attacker the ability to execute arbitrary code during the installation… | |||
| CVE-2023-25556 | 0.00 | — | 0.00 | Apr 18, 2023 | A CWE-287: Improper Authentication vulnerability exists that could allow a device to be compromised when a key of less than seven digits is entered and the attacker has access to the KNX installation. | |||
| CVE-2023-1548 | 0.00 | — | 0.00 | Apr 18, 2023 | A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to perform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products: EcoStruxure Control Expert (V15.1 and above) | |||
| CVE-2023-27976 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause remote code execution when a valid user visits a malicious link provided through the web endpoints. Affected Products: EcoStruxure Control Expert (V15.1 and above) | |||
| CVE-2023-27981 | 0.00 | — | 0.01 | Mar 21, 2023 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists in Custom Reports that could cause a remote code execution when a victim tries to open a malicious report. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior),… | |||
| CVE-2023-27979 | 0.00 | — | 0.00 | Mar 21, 2023 | A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS project report directory, this could lead to denial of service when an attacker sends specific crafted messages to the Data Server… | |||
| CVE-2023-27984 | 0.00 | — | 0.01 | Mar 21, 2023 | A CWE-20: Improper Input Validation vulnerability exists in Custom Reports that could cause a macro to be executed, potentially leading to remote code execution when a user opens a malicious report file planted by an attacker. Affected Products: IGSS Data… | |||
| CVE-2023-27977 | 0.00 | — | 0.00 | Mar 21, 2023 | A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS project report directory, this could lead to loss of data when an attacker sends specific crafted messages to the Data Server TCP… | |||
| CVE-2023-27982 | 0.00 | — | 0.00 | Mar 21, 2023 | A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead… | |||
| CVE-2023-27983 | 0.00 | — | 0.00 | Mar 21, 2023 | A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface that could allow deletion of reports from the IGSS project report directory, this would lead to loss of data when an attacker abuses this functionality. Affected… |
- CVE-2023-27975Feb 14, 2024risk 0.00cvss —epss 0.00
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation.
- CVE-2023-6408Feb 14, 2024risk 0.00cvss —epss 0.00
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause a denial of service and loss of confidentiality, integrity of controllers when conducting a Man in the Middle attack.
- CVE-2023-6409Feb 14, 2024risk 0.00cvss —epss 0.00
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert.
- CVE-2023-6407Dec 14, 2023risk 0.00cvss —epss 0.00
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker.
- CVE-2023-6032Nov 15, 2023risk 0.00cvss —epss 0.01
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause a file system enumeration and file download when an attacker navigates to the Network Management Card via HTTPS.
- CVE-2023-5987Nov 15, 2023risk 0.00cvss —epss 0.00
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page…
- CVE-2023-5986Nov 15, 2023risk 0.00cvss —epss 0.00
A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the software’s web application to redirect to the chosen domain after…
- CVE-2023-5985Nov 15, 2023risk 0.00cvss —epss 0.00
A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability exists that could cause compromise of a user’s browser when an attacker with admin privileges has modified system values.
- CVE-2023-5984Nov 15, 2023risk 0.00cvss —epss 0.00
A CWE-494 Download of Code Without Integrity Check vulnerability exists that could allow modified firmware to be uploaded when an authorized admin user begins a firmware update procedure which could result in full control over the device.
- CVE-2023-5391Oct 4, 2023risk 0.00cvss —epss 0.01
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.
- CVE-2023-5402Oct 4, 2023risk 0.00cvss —epss 0.01
A CWE-269: Improper Privilege Management vulnerability exists that could cause a remote code execution when the transfer command is used over the network.
- CVE-2023-29414Jul 12, 2023risk 0.00cvss —epss 0.00
A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability exists that could cause user privilege escalation if a local user sends specific string input to a local function call.
- CVE-2023-37199Jul 12, 2023risk 0.00cvss —epss 0.01
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored.
- CVE-2023-37198Jul 12, 2023risk 0.00cvss —epss 0.01
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages.
- CVE-2023-37197Jul 12, 2023risk 0.00cvss —epss 0.01
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions…
- CVE-2023-37196Jul 12, 2023risk 0.00cvss —epss 0.01
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when…
- CVE-2023-2570Jun 14, 2023risk 0.00cvss —epss 0.00
A CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an unpredictable index to an IOCTL call in the Foxboro.sys…
- CVE-2023-2569Jun 14, 2023risk 0.00cvss —epss 0.00
A CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, elevation of privilege, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
- CVE-2023-3001Jun 14, 2023risk 0.00cvss —epss 0.32
A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file.
- CVE-2023-1049Jun 14, 2023risk 0.00cvss —epss 0.01
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI.
- CVE-2023-1711May 30, 2023risk 0.00cvss —epss 0.00
A vulnerability exists in a FOXMAN-UN and UNEM logging component, it only affects systems that use remote authentication to the network elements. If exploited an attacker could obtain confidential information. List of CPEs: * cpe:2.3:a:hitachienergy:foxman_un:R9C:*:*:*:*:*…
- CVE-2022-46680May 22, 2023risk 0.00cvss —epss 0.00
A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic.
- CVE-2023-2161May 16, 2023risk 0.00cvss —epss 0.00
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user.
- CVE-2023-25620Apr 19, 2023risk 0.00cvss —epss 0.01
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when a malicious project file is loaded onto the controller by an authenticated user.
- CVE-2023-25619Apr 19, 2023risk 0.00cvss —epss 0.01
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when communicating over the Modbus TCP protocol.
- CVE-2023-29413Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service.
- CVE-2023-29412Apr 18, 2023risk 0.00cvss —epss 0.01
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface.
- CVE-2023-28003Apr 18, 2023risk 0.00cvss —epss 0.00
A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account.
- CVE-2023-25555Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. …
- CVE-2023-25553Apr 18, 2023risk 0.00cvss —epss 0.00
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and…
- CVE-2023-25551Apr 18, 2023risk 0.00cvss —epss 0.00
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and…
- CVE-2023-25550Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows remote code execution via the “hostname” parameter when maliciously crafted hostname syntax is entered. Affected products: StruxureWare Data Center…
- CVE-2023-25549Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
- CVE-2023-25554Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected…
- CVE-2023-25552Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. Affected products:…
- CVE-2023-25548Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
- CVE-2023-25547Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
- CVE-2022-43378Apr 18, 2023risk 0.00cvss —epss 0.00
A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause the user to be tricked into performing unintended actions when external address frames are not properly restricted. Affected Products: NetBotz 4 -…
- CVE-2022-43377Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover when a brute force attack is performed on the account. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior)
- CVE-2022-43376Apr 18, 2023risk 0.00cvss —epss 0.00
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause code and session manipulation when malicious code is inserted into the browser. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 …
- CVE-2022-34755Apr 18, 2023risk 0.00cvss —epss 0.00
A CWE-427 - Uncontrolled Search Path Element vulnerability exists that could allow an attacker with a local privileged account to place a specially crafted file on the target machine, which may give the attacker the ability to execute arbitrary code during the installation…
- CVE-2023-25556Apr 18, 2023risk 0.00cvss —epss 0.00
A CWE-287: Improper Authentication vulnerability exists that could allow a device to be compromised when a key of less than seven digits is entered and the attacker has access to the KNX installation.
- CVE-2023-1548Apr 18, 2023risk 0.00cvss —epss 0.00
A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to perform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products: EcoStruxure Control Expert (V15.1 and above)
- CVE-2023-27976Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause remote code execution when a valid user visits a malicious link provided through the web endpoints. Affected Products: EcoStruxure Control Expert (V15.1 and above)
- CVE-2023-27981Mar 21, 2023risk 0.00cvss —epss 0.01
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists in Custom Reports that could cause a remote code execution when a victim tries to open a malicious report. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior),…
- CVE-2023-27979Mar 21, 2023risk 0.00cvss —epss 0.00
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS project report directory, this could lead to denial of service when an attacker sends specific crafted messages to the Data Server…
- CVE-2023-27984Mar 21, 2023risk 0.00cvss —epss 0.01
A CWE-20: Improper Input Validation vulnerability exists in Custom Reports that could cause a macro to be executed, potentially leading to remote code execution when a user opens a malicious report file planted by an attacker. Affected Products: IGSS Data…
- CVE-2023-27977Mar 21, 2023risk 0.00cvss —epss 0.00
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS project report directory, this could lead to loss of data when an attacker sends specific crafted messages to the Data Server TCP…
- CVE-2023-27982Mar 21, 2023risk 0.00cvss —epss 0.00
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead…
- CVE-2023-27983Mar 21, 2023risk 0.00cvss —epss 0.00
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface that could allow deletion of reports from the IGSS project report directory, this would lead to loss of data when an attacker abuses this functionality. Affected…
Page 6 of 15