Schneider-Electric: >> Ecostruxure Power Monitoring Expert Security Vulnerabilities
A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input
attackers can cause the software’s web application to redirect to the chosen domain after a
successful login is performed.
CVSS Score
8.2
EPSS Score
0.002
Published
2023-11-15
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
vulnerability that could cause a vulnerability leading to a cross site scripting condition where
attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing
the injected payload.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-11-15
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to
execute arbitrary code on the targeted system by sending a specifically crafted packet to the
application.
CVSS Score
9.8
EPSS Score
0.004
Published
2023-10-04
A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to
maintain unauthorized access over a hijacked session in PME after the legitimate user has
signed out of their account.
CVSS Score
6.7
EPSS Score
0.002
Published
2023-04-18
A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)
CVSS Score
6.5
EPSS Score
0.003
Published
2022-02-04
A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacker to view data, change settings, impact availability of the software, or potentially impact a user�s local machine when the user clicks a specially crafted link. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)
CVSS Score
8.8
EPSS Score
0.008
Published
2022-02-04
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)
CVSS Score
5.4
EPSS Score
0.005
Published
2022-02-04
A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution when the user visits a page containing the injected payload. This CVE is unique from CVE-2021-22827. Affected Product: EcoStruxure� Power Monitoring Expert 9.0 and prior versions
CVSS Score
8.8
EPSS Score
0.007
Published
2022-01-28
A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution when the user visits a page containing the injected payload. This CVE is unique from CVE-2021-22826. Affected Product: EcoStruxure� Power Monitoring Expert 9.0 and prior versions
CVSS Score
8.8
EPSS Score
0.004
Published
2022-01-28
A CWE-284:Improper Access Control vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow for arbitrary code execution on the server when an authorized user access an affected webpage.
CVSS Score
7.2
EPSS Score
0.005
Published
2020-12-01
Page 1