Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-11 | CVE-2020-7535 | Path Traversal vulnerability in Schneider-Electric products A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP. | 7.5 |
| 2020-12-11 | CVE-2020-28220 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Modicon M258 Firmware, Somachine and Somachine Motion A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified. | 6.8 |
| 2020-12-11 | CVE-2020-28219 | Insufficiently Protected Credentials vulnerability in Schneider-Electric products A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX. | 7.8 |
| 2020-12-11 | CVE-2020-28218 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2/2.7 A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to trick a user into initiating an unintended action. | 6.5 |
| 2020-12-11 | CVE-2020-28217 | Missing Encryption of Sensitive Data vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2/2.7 A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol. | 7.5 |
| 2020-12-11 | CVE-2020-28216 | Missing Encryption of Sensitive Data vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2/2.7 A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol. | 7.5 |
| 2020-12-11 | CVE-2020-28215 | Missing Authorization vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2/2.7 A CWE-862: Missing Authorization vulnerability exists in Easergy T300 (firmware 2.7 and older), that could cause a wide range of problems, including information exposures, denial of service, and arbitrary code execution when access control checks are not applied consistently. | 9.8 |
| 2020-12-11 | CVE-2020-28214 | Use of a One-Way Hash with a Predictable Salt vulnerability in Schneider-Electric Modicon M221 Firmware A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide. | 5.5 |
| 2020-12-01 | CVE-2020-7548 | Use of Insufficiently Random Values vulnerability in Schneider-Electric products A CWE-330 - Use of Insufficiently Random Values vulnerability exists in Smartlink, PowerTag, and Wiser Series Gateways (see security notification for version information) that could allow unauthorized users to login. | 9.8 |
| 2020-12-01 | CVE-2020-7547 | Unspecified vulnerability in Schneider-Electric products A CWE-284: Improper Access Control vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow a user the ability to perform actions via the web interface at a higher privilege level. | 8.8 |