Vulnerabilities > Schneider Electric

DATE CVE VULNERABILITY TITLE RISK
2023-04-18 CVE-2022-43378 Improper Restriction of Rendered UI Layers or Frames vulnerability in Schneider-Electric products
A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause the user to be tricked into performing unintended actions when external address frames are not properly restricted. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior)
network
low complexity
schneider-electric CWE-1021
6.5
2023-04-18 CVE-2023-25547 Incorrect Authorization vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account.
network
low complexity
schneider-electric CWE-863
8.8
2023-04-18 CVE-2023-25548 Incorrect Authorization vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user.
network
low complexity
schneider-electric CWE-863
6.5
2023-04-18 CVE-2023-25549 Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint.
network
low complexity
schneider-electric CWE-94
critical
9.8
2023-04-18 CVE-2023-25550 Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows remote code execution via the “hostname” parameter when maliciously crafted hostname syntax is entered. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
network
low complexity
schneider-electric CWE-94
critical
9.8
2023-04-18 CVE-2023-25551 Cross-site Scripting vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
network
low complexity
schneider-electric CWE-79
6.1
2023-04-18 CVE-2023-25552 Missing Authorization vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints.
network
low complexity
schneider-electric CWE-862
8.1
2023-04-18 CVE-2023-25553 Cross-site Scripting vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver.
network
low complexity
schneider-electric CWE-79
6.1
2023-04-18 CVE-2023-25554 OS Command Injection vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
local
low complexity
schneider-electric CWE-78
7.8
2023-04-18 CVE-2023-25555 OS Command Injection vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH.
network
high complexity
schneider-electric CWE-78
8.1