Security Vulnerabilities - CVEs Published In April 2023
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow
changes to administrative credentials, leading to potential remote code execution without
requiring prior authentication on the Java RMI interface.
CVSS Score
9.8
EPSS Score
0.06
Published
2023-04-18
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command
Injection') vulnerability exists that could cause remote code execution when manipulating
internal methods through Java RMI interface.
CVSS Score
9.8
EPSS Score
0.047
Published
2023-04-18
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause
Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor
service.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-04-18
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution
on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
8.8
EPSS Score
0.042
Published
2023-04-18
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device
credentials on specific DCE endpoints not being properly secured when a hacker is using a low
privileged user.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
8.8
EPSS Score
0.003
Published
2023-04-18
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
allows for remote code execution when using a parameter of the DCE network settings
endpoint.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
7.2
EPSS Score
0.028
Published
2023-04-18
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
allows remote code execution via the “hostname” parameter when maliciously crafted hostname
syntax is entered.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
7.2
EPSS Score
0.028
Published
2023-04-18
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters
over HTTP.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
6.1
EPSS Score
0.003
Published
2023-04-18
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized
content, changes or deleting of content, or performing unauthorized functions when tampering
the Device File Transfer settings on DCE endpoints.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
8.1
EPSS Score
0.002
Published
2023-04-18
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the
webserver.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
6.1
EPSS Score
0.004
Published
2023-04-18