Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-15 | CVE-2023-5987 | Cross-site Scripting vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert 2020/2021 A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload. | 6.1 |
| 2023-11-15 | CVE-2023-6032 | Path Traversal vulnerability in Schneider-Electric Galaxy VL Firmware and Galaxy VS Firmware A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause a file system enumeration and file download when an attacker navigates to the Network Management Card via HTTPS. | 5.3 |
| 2023-10-04 | CVE-2023-5391 | Deserialization of Untrusted Data vulnerability in Schneider-Electric products A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application. | 9.8 |
| 2023-10-04 | CVE-2023-5399 | Path Traversal vulnerability in Schneider-Electric Spacelogic C-Bus Toolkit A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using the File Command. | 9.8 |
| 2023-10-04 | CVE-2023-5402 | Improper Privilege Management vulnerability in Schneider-Electric C-Bus Toolkit A CWE-269: Improper Privilege Management vulnerability exists that could cause a remote code execution when the transfer command is used over the network. | 9.8 |
| 2023-09-14 | CVE-2023-4516 | Missing Authentication for Critical Function vulnerability in Schneider-Electric Interactive Graphical Scada System A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Service that could allow a local attacker to change update source, potentially leading to remote code execution when the attacker force an update containing malicious content. | 7.8 |
| 2023-08-09 | CVE-2023-3953 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Pro-Face Gp-Pro EX A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause memory corruption when an authenticated user opens a tampered log file from GP-Pro EX. | 5.3 |
| 2023-07-12 | CVE-2023-29414 | Classic Buffer Overflow vulnerability in Schneider-Electric Accutech Manager 2.00.1/2.00.2 A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability exists that could cause user privilege escalation if a local user sends specific string input to a local function call. | 7.8 |
| 2023-07-12 | CVE-2023-37199 | Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. | 7.2 |
| 2023-07-12 | CVE-2023-37196 | SQL Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the alert settings of endpoints on DCE. | 8.8 |