Filtered by vendor Schneider-electric
Subscribe
Total
759 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6408 | 1 Schneider-electric | 90 Ecostruxure Control Expert, Ecostruxure Process Expert, Modicon M340 Bmxp341000 and 87 more | 2025-01-23 | N/A | 8.1 HIGH |
|
CWE-924: Improper Enforcement of Message Integrity During Transmission in a
Communication Channel vulnerability exists that could cause a denial of service and loss of
confidentiality, integrity of controllers when conducting a Man in the Middle attack.
|
|||||
| CVE-2023-6409 | 1 Schneider-electric | 2 Ecostruxure Control Expert, Ecostruxure Process Expert | 2024-12-11 | N/A | 7.7 HIGH |
|
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized
access to a project file protected with application password when opening the file with
EcoStruxure Control Expert.
|
|||||
| CVE-2023-27975 | 1 Schneider-electric | 2 Ecostruxure Control Expert, Ecostruxure Process Expert | 2024-12-11 | N/A | 7.1 HIGH |
|
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized
access to the project file in EcoStruxure Control Expert when a local user tampers with the
memory of the engineering workstation.
|
|||||
| CVE-2021-22764 | 1 Schneider-electric | 8 Powerlogic Pm5560, Powerlogic Pm5560 Firmware, Powerlogic Pm5561 and 5 more | 2024-11-24 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A CWE-287: Improper Authentication vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could cause loss of connectivity to the device via Modbus TCP protocol when an attacker sends a specially crafted HTTP request.
|
|||||
| CVE-2021-22763 | 1 Schneider-electric | 10 Powerlogic Pm5560, Powerlogic Pm5560 Firmware, Powerlogic Pm5561 and 7 more | 2024-11-24 | 10.0 HIGH | 9.8 CRITICAL |
|
A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could allow an attacker administrator level access to a device.
|
|||||
| CVE-2024-6528 | 1 Schneider-electric | 10 Modicon Lmc058, Modicon Lmc058 Firmware, Modicon M241 and 7 more | 2024-11-21 | N/A | 5.4 MEDIUM |
|
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability exists that could cause a vulnerability leading to a cross-site scripting
condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a
page containing the injected payload.
|
|||||
| CVE-2024-6407 | 1 Schneider-electric | 2 Whc-5918a, Whc-5918a Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
CWE-200: Information Exposure vulnerability exists that could cause disclosure of
credentials when a specially crafted message is sent to the device.
|
|||||
| CVE-2024-5681 | 1 Schneider-electric | 1 Ecostruxure Foxboro Dcs Control Core Services | 2024-11-21 | N/A | 7.8 HIGH |
|
CWE-20: Improper Input Validation vulnerability exists that could cause local denial-of-service,
privilege escalation, and potentially kernel execution when a malicious actor with local user
access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
|
|||||
| CVE-2024-5680 | 1 Schneider-electric | 1 Ecostruxure Foxboro Dcs Control Core Services | 2024-11-21 | N/A | 7.1 HIGH |
|
CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service when a malicious actor with local user access crafts a script/program using an IOCTL
call in the Foxboro.sys driver.
|
|||||
| CVE-2024-5679 | 1 Schneider-electric | 1 Ecostruxure Foxboro Dcs Control Core Services | 2024-11-21 | N/A | 7.1 HIGH |
|
CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, or
kernel memory leak when a malicious actor with local user access crafts a script/program using
an IOCTL call in the Foxboro.sys driver.
|
|||||
| CVE-2024-5560 | 1 Schneider-electric | 7 Sage 1410, Sage 1430, Sage 1450 and 4 more | 2024-11-21 | N/A | 5.3 MEDIUM |
|
CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the
device’s web interface when an attacker sends a specially crafted HTTP request.
|
|||||
| CVE-2024-5559 | 1 Schneider-electric | 2 Powerlogic P5, Powerlogic P5 Firmware | 2024-11-21 | N/A | 6.1 MEDIUM |
|
CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists that could
cause denial of service, device reboot, or an attacker gaining full control of the relay when a
specially crafted reset token is entered into the front panel of the device.
|
|||||
| CVE-2024-5558 | 1 Schneider-electric | 4 Spacelogic As-b, Spacelogic As-b Firmware, Spacelogic As-p and 1 more | 2024-11-21 | N/A | 6.4 MEDIUM |
|
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could
cause escalation of privileges when an attacker abuses a limited admin account.
|
|||||
| CVE-2024-5557 | 1 Schneider-electric | 4 Spacelogic As-b, Spacelogic As-b Firmware, Spacelogic As-p and 1 more | 2024-11-21 | N/A | 4.5 MEDIUM |
|
CWE-532: Insertion of Sensitive Information into Log File vulnerability exists that could cause
exposure of SNMP credentials when an attacker has access to the controller logs.
|
|||||
| CVE-2024-5313 | 1 Schneider-electric | 2 Evlink Home, Evlink Home Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
|
CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists that exposes a SSH
interface over the product network interface. This does not allow to directly exploit the product or
make any unintended operation as the SSH interface access is protected by an authentication
mechanism. Impacts are limited to port scanning and fingerprinting activities as well as attempts
to perform a potential denial of service attack on the exposed SSH interface.
|
|||||
| CVE-2024-5056 | 1 Schneider-electric | 6 Bmxnoe0100, Bmxnoe0100 Firmware, Bmxnoe0110 and 3 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
CWE-552: Files or Directories Accessible to External Parties vulnerability exists which may
prevent user to update the device firmware and prevent proper behavior of the webserver when
specific files or directories are removed from the filesystem.
|
|||||
| CVE-2024-37040 | 1 Schneider-electric | 7 Sage 1410, Sage 1430, Sage 1450 and 4 more | 2024-11-21 | N/A | 5.4 MEDIUM |
|
CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability
exists that could allow a user with access to the device’s web interface to cause a fault on the
device when sending a malformed HTTP request.
|
|||||
| CVE-2024-37039 | 1 Schneider-electric | 7 Sage 1410, Sage 1430, Sage 1450 and 4 more | 2024-11-21 | N/A | 5.9 MEDIUM |
|
CWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the
device when an attacker sends a specially crafted HTTP request.
|
|||||
| CVE-2024-37038 | 1 Schneider-electric | 7 Sage 1410, Sage 1430, Sage 1450 and 4 more | 2024-11-21 | N/A | 7.5 HIGH |
|
CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated
user with access to the device’s web interface to perform unauthorized file and firmware
uploads when crafting custom web requests.
|
|||||
| CVE-2024-37037 | 1 Schneider-electric | 7 Sage 1410, Sage 1430, Sage 1450 and 4 more | 2024-11-21 | N/A | 8.1 HIGH |
|
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path
Traversal’) vulnerability exists that could allow an authenticated user with access to the device’s
web interface to corrupt files and impact device functionality when sending a crafted HTTP
request.
|
|||||
| CVE-2024-37036 | 1 Schneider-electric | 7 Sage 1410, Sage 1430, Sage 1450 and 4 more | 2024-11-21 | N/A | 9.8 CRITICAL |
|
CWE-787: Out-of-bounds Write vulnerability exists that could result in an authentication bypass
when sending a malformed POST request and particular configuration parameters are set.
|
|||||
| CVE-2024-2747 | 1 Schneider-electric | 1 Easergy Studio | 2024-11-21 | N/A | 7.8 HIGH |
|
CWE-428: Unquoted search path or element vulnerability exists in Easergy Studio, which could
cause privilege escalation when a valid user replaces a trusted file name on the system and
reboots the machine.
|
|||||
| CVE-2024-2602 | 1 Schneider-electric | 1 Foxrtu Station | 2024-11-21 | N/A | 7.3 HIGH |
|
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability exists that could result in remote code execution when an authenticated
user executes a saved project file that has been tampered by a malicious actor.
|
|||||
| CVE-2024-0865 | 1 Schneider-electric | 1 Ecostruxure It Gateway | 2024-11-21 | N/A | 7.8 HIGH |
|
CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege
escalation when logged in as a non-administrative user.
|
|||||
| CVE-2023-7032 | 1 Schneider-electric | 1 Easergy Studio | 2024-11-21 | N/A | 7.8 HIGH |
|
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker
logged in with a user level account to gain higher privileges by providing a harmful serialized
object.
|
|||||
| CVE-2023-6407 | 2 Microsoft, Schneider-electric | 6 Windows 10 1507, Windows 11 21h2, Windows Server 2016 and 3 more | 2024-11-21 | N/A | 5.3 MEDIUM |
|
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by
a local and low-privileged attacker.
|
|||||
| CVE-2023-6032 | 1 Schneider-electric | 4 Galaxy Vl, Galaxy Vl Firmware, Galaxy Vs and 1 more | 2024-11-21 | N/A | 5.3 MEDIUM |
|
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulnerability exists that could cause a file system enumeration and file download when an
attacker navigates to the Network Management Card via HTTPS.
|
|||||
| CVE-2023-5987 | 1 Schneider-electric | 1 Ecostruxure Power Monitoring Expert | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
vulnerability that could cause a vulnerability leading to a cross site scripting condition where
attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing
the injected payload.
|
|||||
| CVE-2023-5986 | 1 Schneider-electric | 1 Ecostruxure Power Monitoring Expert | 2024-11-21 | N/A | 8.2 HIGH |
|
A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input
attackers can cause the software’s web application to redirect to the chosen domain after a
successful login is performed.
|
|||||
| CVE-2023-5985 | 1 Schneider-electric | 4 Ion8650, Ion8650 Firmware, Ion8800 and 1 more | 2024-11-21 | N/A | 4.8 MEDIUM |
|
A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability
exists that could cause compromise of a user’s browser when an attacker with admin privileges
has modified system values.
|
|||||
| CVE-2023-5984 | 1 Schneider-electric | 4 Ion8650, Ion8650 Firmware, Ion8800 and 1 more | 2024-11-21 | N/A | 7.2 HIGH |
|
A CWE-494 Download of Code Without Integrity Check vulnerability exists that could allow
modified firmware to be uploaded when an authorized admin user begins a firmware update
procedure which could result in full control over the device.
|
|||||
| CVE-2023-5630 | 1 Schneider-electric | 32 Eb450, Eb450 Firmware, Eb45e and 29 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
A CWE-494: Download of Code Without Integrity Check vulnerability exists that could allow a
privileged user to install an untrusted firmware.
|
|||||
| CVE-2023-5629 | 1 Schneider-electric | 32 Eb450, Eb450 Firmware, Eb45e and 29 more | 2024-11-21 | N/A | 8.2 HIGH |
|
A CWE-601:URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability exists that could
cause disclosure of information through phishing attempts over HTTP.
|
|||||
| CVE-2023-5402 | 1 Schneider-electric | 1 C-bus Toolkit | 2024-11-21 | N/A | 9.8 CRITICAL |
|
A CWE-269: Improper Privilege Management vulnerability exists that could cause a remote
code execution when the transfer command is used over the network.
|
|||||
| CVE-2023-5399 | 1 Schneider-electric | 1 Spacelogic C-bus Toolkit | 2024-11-21 | N/A | 9.8 CRITICAL |
|
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability exists that could cause tampering of files on the personal computer
running C-Bus when using the File Command.
|
|||||
| CVE-2023-5391 | 1 Schneider-electric | 3 Ecostruxure Power Monitoring Expert, Ecostruxure Power Operation With Advanced Reports, Ecostruxure Power Scada Operation With Advanced Reports | 2024-11-21 | N/A | 9.8 CRITICAL |
|
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to
execute arbitrary code on the targeted system by sending a specifically crafted packet to the
application.
|
|||||
| CVE-2023-4516 | 1 Schneider-electric | 1 Interactive Graphical Scada System | 2024-11-21 | N/A | 7.8 HIGH |
|
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update
Service that could allow a local attacker to change update source, potentially leading to remote
code execution when the attacker force an update containing malicious content.
|
|||||
| CVE-2023-3953 | 1 Schneider-electric | 1 Pro-face Gp-pro Ex | 2024-11-21 | N/A | 5.3 MEDIUM |
|
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory
Buffer vulnerability exists that could cause memory corruption when an authenticated user
opens a tampered log file from GP-Pro EX.
|
|||||
| CVE-2023-3001 | 1 Schneider-electric | 1 Igss Dashboard | 2024-11-21 | N/A | 7.8 HIGH |
|
A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that
could cause an interpretation of malicious payload data, potentially leading to remote code
execution when an attacker gets the user to open a malicious file.
|
|||||
| CVE-2023-37199 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2024-11-21 | N/A | 6.8 MEDIUM |
|
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could cause remote code execution when an admin user on DCE tampers with backups which
are then manually restored.
|
|||||