Schneider-Electric: Security Vulnerabilities
A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability
exists that could cause user privilege escalation if a local user sends specific string input to a
local function call.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-07-12
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could cause remote code execution when an admin user on DCE tampers with backups which
are then manually restored.
CVSS Score
6.8
EPSS Score
0.017
Published
2023-07-12
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to
access unauthorized content, change, or delete content, or perform unauthorized actions when
tampering with the alert settings of endpoints on DCE.
CVSS Score
8.8
EPSS Score
0.003
Published
2023-07-12
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to
access unauthorized content, change, or delete content, or perform unauthorized actions when
tampering with the mass configuration settings of endpoints on DCE.
CVSS Score
8.8
EPSS Score
0.003
Published
2023-07-12
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could cause remote code execution when an admin user on DCE uploads or tampers with install
packages.
CVSS Score
6.8
EPSS Score
0.016
Published
2023-07-12
A CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service,
elevation of privilege, and potentially kernel execution when a malicious actor with local user
access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-06-14
A CWE-129: Improper Validation of Array Index vulnerability exists that could cause local
denial-of-service, and potentially kernel execution when a malicious actor with local user access
crafts a script/program using an unpredictable index to an IOCTL call in the Foxboro.sys driver.
CVSS Score
7.0
EPSS Score
0.0
Published
2023-06-14
A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that
could cause an interpretation of malicious payload data, potentially leading to remote code
execution when an attacker gets the user to open a malicious file.
CVSS Score
7.8
EPSS Score
0.046
Published
2023-06-14
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could cause execution of malicious code when an unsuspicious user loads a project file from the
local filesystem into the HMI.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-06-14
A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could
cause disclosure of sensitive information, denial of service, or modification of data if an attacker
is able to intercept network traffic.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-05-22