Schneider-Electric: Security Vulnerabilities
A CWE-494 Download of Code Without Integrity Check vulnerability exists that could allow
modified firmware to be uploaded when an authorized admin user begins a firmware update
procedure which could result in full control over the device.
CVSS Score
7.2
EPSS Score
0.0
Published
2023-11-15
A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability
exists that could cause compromise of a user’s browser when an attacker with admin privileges
has modified system values.
CVSS Score
4.8
EPSS Score
0.001
Published
2023-11-15
A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input
attackers can cause the software’s web application to redirect to the chosen domain after a
successful login is performed.
CVSS Score
8.2
EPSS Score
0.002
Published
2023-11-15
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
vulnerability that could cause a vulnerability leading to a cross site scripting condition where
attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing
the injected payload.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-11-15
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulnerability exists that could cause a file system enumeration and file download when an
attacker navigates to the Network Management Card via HTTPS.
CVSS Score
5.3
EPSS Score
0.002
Published
2023-11-15
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to
execute arbitrary code on the targeted system by sending a specifically crafted packet to the
application.
CVSS Score
9.8
EPSS Score
0.004
Published
2023-10-04
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability exists that could cause tampering of files on the personal computer
running C-Bus when using the File Command.
CVSS Score
9.8
EPSS Score
0.251
Published
2023-10-04
A CWE-269: Improper Privilege Management vulnerability exists that could cause a remote
code execution when the transfer command is used over the network.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-10-04
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update
Service that could allow a local attacker to change update source, potentially leading to remote
code execution when the attacker force an update containing malicious content.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-09-14
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory
Buffer vulnerability exists that could cause memory corruption when an authenticated user
opens a tampered log file from GP-Pro EX.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-08-09