Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-14 | CVE-2023-4516 | Missing Authentication for Critical Function vulnerability in Schneider-Electric Interactive Graphical Scada System A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Service that could allow a local attacker to change update source, potentially leading to remote code execution when the attacker force an update containing malicious content. | 7.8 |
| 2023-08-09 | CVE-2023-3953 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Pro-Face Gp-Pro EX A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause memory corruption when an authenticated user opens a tampered log file from GP-Pro EX. | 5.3 |
| 2023-07-12 | CVE-2023-29414 | Classic Buffer Overflow vulnerability in Schneider-Electric Accutech Manager 2.00.1/2.00.2 A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability exists that could cause user privilege escalation if a local user sends specific string input to a local function call. | 7.8 |
| 2023-07-12 | CVE-2023-37199 | Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. | 7.2 |
| 2023-07-12 | CVE-2023-37196 | SQL Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the alert settings of endpoints on DCE. | 8.8 |
| 2023-07-12 | CVE-2023-37197 | SQL Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the mass configuration settings of endpoints on DCE. | 8.8 |
| 2023-07-12 | CVE-2023-37198 | Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages. | 7.2 |
| 2023-06-14 | CVE-2023-1049 | Code Injection vulnerability in Schneider-Electric products A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI. | 7.8 |
| 2023-06-14 | CVE-2023-2569 | Out-of-bounds Write vulnerability in Schneider-Electric Ecostruxure Foxboro DCS Control Core Services A CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, elevation of privilege, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver. | 7.8 |
| 2023-06-14 | CVE-2023-2570 | Improper Validation of Array Index vulnerability in Schneider-Electric Ecostruxure Foxboro DCS Control Core Services A CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an unpredictable index to an IOCTL call in the Foxboro.sys driver. | 7.8 |