Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-16 | CVE-2020-7505 | Download of Code Without Integrity Check vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2 A CWE-494 Download of Code Without Integrity Check vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to inject data with dangerous content into the firmware and execute arbitrary code on the system. | 7.2 |
| 2020-06-16 | CVE-2020-7504 | Improper Input Validation vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2 A CWE-20: Improper Input Validation vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to disable the webserver service on the device when specially crafted network packets are sent. | 5.3 |
| 2020-06-16 | CVE-2020-7503 | Cross-Site Request Forgery (CSRF) vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2 A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to execute malicious commands on behalf of a legitimate user when xsrf-token data is intercepted. | 8.8 |
| 2020-06-16 | CVE-2020-7502 | Out-of-bounds Write vulnerability in Schneider-Electric Modicon M218 Firmware 4.3 A CWE-787: Out-of-bounds Write vulnerability exists in Modicon M218 Logic Controller (Firmware version 4.3 and prior), which may cause a Denial of Service when specific TCP/IP crafted packets are sent to the Modicon M218 Logic Controller. | 7.5 |
| 2020-06-16 | CVE-2020-7501 | Use of Hard-coded Credentials vulnerability in Schneider-Electric Vijeo Designer A CWE-798: Use of Hard-coded Credentials vulnerability exists in Vijeo Designer Basic (V1.1 HotFix 16 and prior) and Vijeo Designer (V6.2 SP9 and prior) which could cause unauthorized read and write when downloading and uploading project or firmware into Vijeo Designer Basic and Vijeo Designer. | 8.8 |
| 2020-06-16 | CVE-2020-7500 | SQL Injection vulnerability in Schneider-Electric products A CWE-89:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause arbitrary code to be executed when a malicious command is entered. | 9.8 |
| 2020-06-16 | CVE-2020-7499 | Incorrect Authorization vulnerability in Schneider-Electric products A CWE-863: Incorrect Authorization vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause unauthorized access when a low privileged user makes unauthorized changes. | 6.5 |
| 2020-06-16 | CVE-2020-7498 | Use of Hard-coded Credentials vulnerability in Schneider-Electric OS Loader and Unity Loader A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). | 9.8 |
| 2020-06-16 | CVE-2020-7497 | Path Traversal vulnerability in Schneider-Electric Ecostruxure Operator Terminal Expert 3.0/3.1 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause arbitrary application execution when the computer starts. | 9.8 |
| 2020-06-16 | CVE-2020-7495 | Path Traversal vulnerability in Schneider-Electric Ecostruxure Operator Terminal Expert 3.0/3.1 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability during zip file extraction exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause unauthorized write access outside of expected path folder when opening the project file. | 5.5 |