Schneider-Electric: >> Struxureware Data Center Expert >> 7.4.1 Security Vulnerabilities
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could cause remote code execution when an admin user on DCE tampers with backups which
are then manually restored.
CVSS Score
6.8
EPSS Score
0.017
Published
2023-07-12
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to
access unauthorized content, change, or delete content, or perform unauthorized actions when
tampering with the alert settings of endpoints on DCE.
CVSS Score
8.8
EPSS Score
0.003
Published
2023-07-12
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to
access unauthorized content, change, or delete content, or perform unauthorized actions when
tampering with the mass configuration settings of endpoints on DCE.
CVSS Score
8.8
EPSS Score
0.003
Published
2023-07-12
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could cause remote code execution when an admin user on DCE uploads or tampers with install
packages.
CVSS Score
6.8
EPSS Score
0.016
Published
2023-07-12
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution
on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
8.8
EPSS Score
0.042
Published
2023-04-18
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device
credentials on specific DCE endpoints not being properly secured when a hacker is using a low
privileged user.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
8.8
EPSS Score
0.003
Published
2023-04-18
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
allows for remote code execution when using a parameter of the DCE network settings
endpoint.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
7.2
EPSS Score
0.028
Published
2023-04-18
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
allows remote code execution via the “hostname” parameter when maliciously crafted hostname
syntax is entered.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
7.2
EPSS Score
0.028
Published
2023-04-18
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters
over HTTP.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
6.1
EPSS Score
0.003
Published
2023-04-18
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized
content, changes or deleting of content, or performing unauthorized functions when tampering
the Device File Transfer settings on DCE endpoints.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVSS Score
8.1
EPSS Score
0.002
Published
2023-04-18
Page 1