Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-19 | CVE-2020-7552 | Out-of-bounds Write vulnerability in Schneider-Electric Interactive Graphical Scada System A CWE-787: Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247, that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition. | 7.8 |
| 2020-11-19 | CVE-2020-7551 | Out-of-bounds Write vulnerability in Schneider-Electric Interactive Graphical Scada System A CWE-787: Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247, that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition. | 7.8 |
| 2020-11-19 | CVE-2020-7550 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Interactive Graphical Scada System A CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 and prior that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition. | 7.8 |
| 2020-11-19 | CVE-2020-7544 | Improper Privilege Management vulnerability in Schneider-Electric Operator Terminal Expert Runtime 3.1 A CWE-269 Improper Privilege Management vulnerability exists in EcoStruxureª Operator Terminal Expert runtime (Vijeo XD) that could cause privilege escalation on the workstation when interacting directly with a driver installed by the runtime software of EcoStruxureª Operator Terminal Expert. | 7.8 |
| 2020-11-19 | CVE-2020-7538 | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric Ecostruxure Control Expert A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause a crash of the PLC simulator present in EcoStruxureª Control Expert software when receiving a specially crafted request over Modbus. | 7.5 |
| 2020-11-19 | CVE-2020-28213 | Download of Code Without Integrity Check vulnerability in Schneider-Electric Ecostruxure Control Expert A CWE-494: Download of Code Without Integrity Check vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when sending specially crafted requests over Modbus. | 8.8 |
| 2020-11-19 | CVE-2020-28212 | Improper Restriction of Excessive Authentication Attempts vulnerability in Schneider-Electric Ecostruxure Control Expert A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus. | 9.8 |
| 2020-11-19 | CVE-2020-28211 | Incorrect Authorization vulnerability in Schneider-Electric Ecostruxure Control Expert A CWE-863: Incorrect Authorization vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause bypass of authentication when overwriting memory using a debugger. | 7.8 |
| 2020-11-19 | CVE-2020-28209 | Unquoted Search Path or Element vulnerability in Schneider-Electric Enterprise Server Installer 1.9/3.1 A CWE-428 Windows Unquoted Search Path vulnerability exists in EcoStruxure Building Operation Enterprise Server installer V1.9 - V3.1 and Enterprise Central installer V2.0 - V3.1 that could cause any local Windows user who has write permission on at least one of the subfolders of the Connect Agent service binary path, being able to gain the privilege of the user who started the service. | 7.0 |
| 2020-11-19 | CVE-2020-28210 | Cross-site Scripting vulnerability in Schneider-Electric Ecostruxure Building Operation 2.0/3.1 A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in EcoStruxure Building Operation WebStation V2.0 - V3.1 that could cause an attacker to inject HTML and JavaScript code into the user's browser. | 6.1 |