Schneider-Electric: Security Vulnerabilities
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that
could cause unauthorized read access to the file system when a malicious configuration file is
loaded on to the software by a local user.
CVSS Score
5.0
EPSS Score
0.0
Published
2023-05-16
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that
could cause denial of service of the controller when a malicious project file is loaded onto the
controller by an authenticated user.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-04-19
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that
could cause denial of service of the controller when communicating over the Modbus TCP
protocol.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-04-19
A CWE-20: Improper Input Validation vulnerability exists that could allow an authenticated
attacker to gain the same privilege as the application on the server when a malicious payload is
provided over HTTP for the server to execute.
CVSS Score
7.2
EPSS Score
0.001
Published
2023-04-18
A CWE-129: Improper validation of an array index vulnerability exists where a specially crafted
Ethernet request could result in denial of service or remote code execution.
CVSS Score
9.8
EPSS Score
0.012
Published
2023-04-18
A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to
maintain unauthorized access over a hijacked session in PME after the legitimate user has
signed out of their account.
CVSS Score
6.7
EPSS Score
0.002
Published
2023-04-18
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow
changes to administrative credentials, leading to potential remote code execution without
requiring prior authentication on the Java RMI interface.
CVSS Score
9.8
EPSS Score
0.099
Published
2023-04-18
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command
Injection') vulnerability exists that could cause remote code execution when manipulating
internal methods through Java RMI interface.
CVSS Score
9.8
EPSS Score
0.066
Published
2023-04-18
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause
Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor
service.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-04-18
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution
on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
8.8
EPSS Score
0.042
Published
2023-04-18