Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-04 | CVE-2022-22724 | Resource Exhaustion vulnerability in Schneider-Electric products A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. | 5.0 |
| 2022-02-04 | CVE-2022-22725 | Classic Buffer Overflow vulnerability in Schneider-Electric Easergy P3 Firmware A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network. | 8.3 |
| 2022-02-04 | CVE-2022-22726 | Improper Input Validation vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account. | 4.0 |
| 2022-02-04 | CVE-2022-22727 | Improper Input Validation vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacker to view data, change settings, impact availability of the software, or potentially impact a user?s local machine when the user clicks a specially crafted link. | 8.8 |
| 2022-02-04 | CVE-2022-22804 | Cross-site Scripting vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload. | 3.5 |
| 2022-01-28 | CVE-2021-22724 | Cross-Site Request Forgery (CSRF) vulnerability in Schneider-Electric products A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. | 8.8 |
| 2022-01-28 | CVE-2021-22725 | Cross-Site Request Forgery (CSRF) vulnerability in Schneider-Electric products A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. | 8.8 |
| 2022-01-28 | CVE-2021-22799 | Insufficient Entropy vulnerability in Schneider-Electric Software Update A CWE-331: Insufficient Entropy vulnerability exists that could cause unintended connection from an internal network to an external network when an attacker manages to decrypt the SESU proxy password from the registry. | 2.1 |
| 2022-01-28 | CVE-2021-22807 | Out-of-bounds Write vulnerability in Schneider-Electric Guicon 2.0 A CWE-787: Out-of-bounds Write vulnerability exists that could cause arbitrary code execution when a malicious *.gd1 configuration file is loaded into the GUIcon tool. | 6.8 |
| 2022-01-28 | CVE-2021-22808 | Use After Free vulnerability in Schneider-Electric Guicon 2.0 A CWE-416: Use After Free vulnerability exists that could cause arbitrary code execution when a malicious *.gd1 configuration file is loaded into the GUIcon tool. | 6.8 |