VYPR

Vendor CVEs

Schneider Electric

All CVEs

722 total · sorted by risk
  • CVE-2022-34764Jul 13, 2022
    risk 0.00cvss epss 0.01

    A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause denial of service when parsing the URL. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V1.0), OPC UA Modicon Communication Module…

  • CVE-2022-34763Jul 13, 2022
    risk 0.00cvss epss 0.00

    A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists that could cause loading of unauthorized firmware images due to improper verification of the firmware signature. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V2.01 and…

  • CVE-2022-34762Jul 13, 2022
    risk 0.00cvss epss 0.01

    A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause unauthorized firmware image loading when unsigned images are added to the firmware image path. Affected Products: X80 advanced RTU Communication Module…

  • CVE-2022-34761Jul 13, 2022
    risk 0.00cvss epss 0.01

    A CWE-476: NULL Pointer Dereference vulnerability exists that could cause a denial of service of the webserver when parsing JSON content type. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V2.01 and later), OPC UA Modicon Communication Module…

  • CVE-2022-34760Jul 13, 2022
    risk 0.00cvss epss 0.01

    A CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability exists that could cause a denial of service of the webserver due to improper handling of the cookies. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V1.0), OPC UA Modicon…

  • CVE-2022-34759Jul 13, 2022
    risk 0.00cvss epss 0.01

    A CWE-787: Out-of-bounds Write vulnerability exists that could cause a denial of service of the webserver due to improper parsing of the HTTP Headers. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V1.0), OPC UA Modicon Communication Module (BMENUA0100)…

  • CVE-2022-34758Jul 13, 2022
    risk 0.00cvss epss 0.00

    A CWE-20: Improper Input Validation vulnerability exists that could cause the device watchdog function to be disabled if the attacker had access to privileged user credentials. Affected Products: Easergy P5 (V01.401.102 and prior)

  • CVE-2022-34757Jul 13, 2022
    risk 0.00cvss epss 0.00

    A CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists where weak cipher suites can be used for the SSH connection between Easergy Pro software and the device, which may allow an attacker to observe protected communication details. Affected Products:…

  • CVE-2022-34756Jul 13, 2022
    risk 0.00cvss epss 0.01

    A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could result in remote code execution or the crash of HTTPs stack which is used for the device Web HMI. Affected Products: Easergy P5 (V01.401.102 and prior)

  • CVE-2022-34754Jul 13, 2022
    risk 0.00cvss epss 0.00

    A CWE-269: Improper Privilege Management vulnerability exists that could allow elevated functionality when guessing credentials. Affected Products: Acti9 PowerTag Link C (A9XELC10-A) (V1.7.5 and prior), Acti9 PowerTag Link C (A9XELC10-B) (V2.12.0 and prior)

  • CVE-2022-32530Jun 24, 2022
    risk 0.00cvss epss 0.00

    A CWE-668 Exposure of Resource to Wrong Sphere vulnerability exists that could cause users to be misled, hiding alarms, showing the wrong server connection option or the wrong control request when a mobile device has been compromised by a malicious application. Affected Product:…

  • CVE-2022-30238Jun 2, 2022
    risk 0.00cvss epss 0.01

    A CWE-287: Improper Authentication vulnerability exists that could allow an attacker to take over the admin account when an attacker hijacks a session. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

  • CVE-2022-30237Jun 2, 2022
    risk 0.00cvss epss 0.00

    A CWE-311: Missing Encryption of Sensitive Data vulnerability exists that could allow authentication credentials to be recovered when an attacker breaks the encoding. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

  • CVE-2022-30236Jun 2, 2022
    risk 0.00cvss epss 0.01

    A CWE-669: Incorrect Resource Transfer Between Spheres vulnerability exists that could allow unauthorized access when an attacker uses cross-domain attacks. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

  • CVE-2022-30235Jun 2, 2022
    risk 0.00cvss epss 0.01

    A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow unauthorized access when an attacker uses brute force. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

  • CVE-2022-30234Jun 2, 2022
    risk 0.00cvss epss 0.01

    A CWE-798: Use of Hard-coded Credentials vulnerability exists that could allow arbitrary code to be executed when root level access is obtained. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

  • CVE-2022-30233Jun 2, 2022
    risk 0.00cvss epss 0.01

    A CWE-20: Improper Input Validation vulnerability exists that could allow the product to be maliciously manipulated when the user is tricked into performing certain actions on a webpage. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

  • CVE-2022-30232Jun 2, 2022
    risk 0.00cvss epss 0.01

    A CWE-20: Improper Input Validation vulnerability exists that could cause potential remote code execution when an attacker is able to intercept and modify a request on the same network or has configuration access to an ION device on the network. Affected Products: Wiser Smart,…

  • CVE-2021-30066Apr 3, 2022
    risk 0.00cvss epss 0.00

    On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, an arbitrary firmware image can be loaded because firmware signature verification (for a USB stick) can be bypassed. NOTE: this issue…

  • CVE-2021-30065Apr 3, 2022
    risk 0.00cvss epss 0.01

    On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, crafted ModBus packets can bypass the ModBus enforcer. NOTE: this issue exists because of an incomplete fix of CVE-2017-11401.

  • CVE-2021-30064Apr 3, 2022
    risk 0.00cvss epss 0.01

    On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, an SSH login can succeed with hardcoded default credentials (if the device is in the uncommissioned state).

  • CVE-2021-30063Apr 3, 2022
    risk 0.00cvss epss 0.01

    On Schneider Electric ConneXium Tofino OPCLSM TCSEFM0000 before 03.23 and Belden Tofino Xenon Security Appliance, crafted OPC packets can cause an OPC enforcer denial of service.

  • CVE-2021-30062Apr 3, 2022
    risk 0.00cvss epss 0.01

    On Schneider Electric ConneXium Tofino OPCLSM TCSEFM0000 before 03.23 and Belden Tofino Xenon Security Appliance, crafted OPC packets can bypass the OPC enforcer.

  • CVE-2021-30061Apr 3, 2022
    risk 0.00cvss epss 0.00

    On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, physically proximate attackers can execute code via a crafted file on a USB stick.

  • CVE-2022-0221Mar 28, 2022
    risk 0.00cvss epss 0.01

    A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a…

  • CVE-2021-22797Mar 28, 2022
    risk 0.00cvss epss 0.26

    A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file…

  • CVE-2021-22795Mar 28, 2022
    risk 0.00cvss epss 0.03

    A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when performed over the network. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)

  • CVE-2021-22794Mar 28, 2022
    risk 0.00cvss epss 0.02

    A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)

  • CVE-2019-6834Mar 28, 2022
    risk 0.00cvss epss 0.01

    A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected…

  • CVE-2022-24323Mar 9, 2022
    risk 0.00cvss epss 0.01

    A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software, when an attacker is able to intercept and manipulate specific Modbus response data.…

  • CVE-2022-24322Mar 9, 2022
    risk 0.00cvss epss 0.01

    A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software when an attacker is able to intercept and manipulate specific Modbus…

  • CVE-2021-22783Mar 9, 2022
    risk 0.00cvss epss 0.00

    A CWE-200: Information Exposure vulnerability exists which could allow a session hijack when the door panel is communicating with the door. Affected Product: Ritto Wiser Door (All versions)

  • CVE-2022-22806Mar 9, 2022
    risk 0.00cvss epss 0.12

    A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent. Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC…

  • CVE-2021-22824Feb 11, 2022
    risk 0.00cvss epss 0.14

    A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could result in denial of service, due to missing length check on user-supplied data from a constructed message received on the network. Affected Product: Interactive Graphical SCADA System Data…

  • CVE-2021-22823Feb 11, 2022
    risk 0.00cvss epss 0.21

    A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause deletion of arbitrary files in the context of the user running IGSS due to lack of validation of network messages. Affected Product: Interactive Graphical SCADA System Data Collector…

  • CVE-2021-22800Feb 11, 2022
    risk 0.00cvss epss 0.01

    A CWE-20: Improper Input Validation vulnerability exists that could cause a Denial of Service when a crafted packet is sent to the controller over network port 1105/TCP. Affected Product: Modicon M218 Logic Controller (V5.1.0.6 and prior)

  • CVE-2021-22805Feb 11, 2022
    risk 0.00cvss epss 0.01

    A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause deletion of arbitrary files in the context of the user running IGSS due to lack of validation of network messages. Affected Product: Interactive Graphical SCADA System Data Collector…

  • CVE-2021-22804Feb 11, 2022
    risk 0.00cvss epss 0.01

    A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause disclosure of arbitrary files being read in the context of the user running IGSS, due to missing validation of user supplied data in network messages. Affected Product:…

  • CVE-2021-22803Feb 11, 2022
    risk 0.00cvss epss 0.02

    A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could lead to remote code execution through a number of paths, when an attacker, writes arbitrary files to folders in context of the DC module, by sending constructed messages on the network.…

  • CVE-2021-22802Feb 11, 2022
    risk 0.00cvss epss 0.20

    A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could result in remote code execution due to missing length check on user supplied data, when a constructed message is received on the network. Affected Product: Interactive Graphical SCADA System…

  • CVE-2021-22801Feb 11, 2022
    risk 0.00cvss epss 0.01

    A CWE-269: Improper Privilege Management vulnerability exists that could cause an arbitrary command execution when the software is configured with specially crafted event actions. Affected Product: ConneXium Network Manager Software (All Versions)

  • CVE-2021-22806Feb 11, 2022
    risk 0.00cvss epss 0.01

    A CWE-669: Incorrect Resource Transfer Between Spheres vulnerability exists that could cause data exfiltration and unauthorized access when accessing a malicious website. Affected Product: spaceLYnk (V2.6.1 and prior), Wiser for KNX (V2.6.1 and prior), fellerLYnk (V2.6.1 and…

  • CVE-2021-22796Feb 11, 2022
    risk 0.00cvss epss 0.01

    A CWE-287: Improper Authentication vulnerability exists that could allow remote code execution when a malicious file is uploaded. Affected Product: C-Bus Toolkit (V1.15.9 and prior), C-Gate Server (V2.11.7 and prior)

  • CVE-2021-22748Feb 11, 2022
    risk 0.00cvss epss 0.02

    A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could allow a remote code execution when a file is saved. Affected Product: C-Bus Toolkit (V1.15.9 and prior), C-Gate Server (V2.11.7 and prior)

  • CVE-2022-24321Feb 9, 2022
    risk 0.00cvss epss 0.01

    A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause Denial of Service against the Geo SCADA server when receiving a malformed HTTP request. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All…

  • CVE-2021-22817Feb 9, 2022
    risk 0.00cvss epss 0.00

    A CWE-276: Incorrect Default Permissions vulnerability exists that could cause unauthorized access to the base installation directory leading to local privilege escalation. Affected Product: Harmony/Magelis iPC Series (All Versions), Vijeo Designer (All Versions prior to V6.2…

  • CVE-2022-24320Feb 9, 2022
    risk 0.00cvss epss 0.01

    A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All…

  • CVE-2022-24319Feb 9, 2022
    risk 0.00cvss epss 0.01

    A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA web server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All…

  • CVE-2022-24318Feb 9, 2022
    risk 0.00cvss epss 0.00

    A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions),…

  • CVE-2022-22812Feb 9, 2022
    risk 0.00cvss epss 0.01

    A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a web session compromise when an attacker injects and then executes arbitrary malicious JavaScript code inside the target browser. Affected…

Page 8 of 15