Vulnerabilities > Schneider Electric

DATE CVE VULNERABILITY TITLE RISK
2023-09-14 CVE-2023-4516 Missing Authentication for Critical Function vulnerability in Schneider-Electric Interactive Graphical Scada System
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Service that could allow a local attacker to change update source, potentially leading to remote code execution when the attacker force an update containing malicious content.
local
low complexity
schneider-electric CWE-306
7.8
2023-08-09 CVE-2023-3953 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Pro-Face Gp-Pro EX
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause memory corruption when an authenticated user opens a tampered log file from GP-Pro EX.
local
low complexity
schneider-electric CWE-119
5.3
2023-07-12 CVE-2023-29414 Classic Buffer Overflow vulnerability in Schneider-Electric Accutech Manager 2.00.1/2.00.2
A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability exists that could cause user privilege escalation if a local user sends specific string input to a local function call.
local
low complexity
schneider-electric CWE-120
7.8
2023-07-12 CVE-2023-37199 Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored.
network
low complexity
schneider-electric CWE-94
7.2
2023-07-12 CVE-2023-37196 SQL Injection vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the alert settings of endpoints on DCE.
network
low complexity
schneider-electric CWE-89
8.8
2023-07-12 CVE-2023-37197 SQL Injection vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the mass configuration settings of endpoints on DCE.
network
low complexity
schneider-electric CWE-89
8.8
2023-07-12 CVE-2023-37198 Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages.
network
low complexity
schneider-electric CWE-94
7.2
2023-06-14 CVE-2023-1049 Code Injection vulnerability in Schneider-Electric products
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI.
local
low complexity
schneider-electric CWE-94
7.8
2023-06-14 CVE-2023-2569 Out-of-bounds Write vulnerability in Schneider-Electric Ecostruxure Foxboro DCS Control Core Services
A CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, elevation of privilege, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
local
low complexity
schneider-electric CWE-787
7.8
2023-06-14 CVE-2023-2570 Improper Validation of Array Index vulnerability in Schneider-Electric Ecostruxure Foxboro DCS Control Core Services
A CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an unpredictable index to an IOCTL call in the Foxboro.sys driver.
local
low complexity
schneider-electric CWE-129
7.8