Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-16 | CVE-2020-7494 | Path Traversal vulnerability in Schneider-Electric Ecostruxure Operator Terminal Expert 3.0/3.1 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file. | 7.8 |
| 2020-06-16 | CVE-2020-7493 | SQL Injection vulnerability in Schneider-Electric Ecostruxure Operator Terminal Expert 3.0/3.1 A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file. | 7.8 |
| 2020-06-16 | CVE-2020-7492 | Weak Password Requirements vulnerability in Schneider-Electric Gp-Pro EX Firmware 1.00/4.08.200/4.09.120 A CWE-521: Weak Password Requirements vulnerability exists in the GP-Pro EX V1.00 to V4.09.100 which could cause the discovery of the password when the user is entering the password because it is not masqueraded. | 6.5 |
| 2020-05-14 | CVE-2020-10626 | Uncontrolled Search Path Element vulnerability in multiple products In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled search path element vulnerability could allow a malicious DLL file with the same name of any resident DLLs inside the software installation to execute arbitrary code. | 7.8 |
| 2020-04-22 | CVE-2020-7490 | Untrusted Search Path vulnerability in Schneider-Electric Vijeo Designer 1.0/1.1/6.9 A CWE-426: Untrusted Search Path vulnerability exists in Vijeo Designer Basic (V1.1 HotFix 15 and prior) and Vijeo Designer (V6.9 SP9 and prior), which could cause arbitrary code execution on the system running Vijeo Basic when a malicious DLL library is loaded by the Product. | 7.8 |
| 2020-04-22 | CVE-2020-7489 | Injection vulnerability in Schneider-Electric products A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert – Basic or SoMachine Basic programming software (versions in security notification). | 9.8 |
| 2020-04-22 | CVE-2020-7488 | Cleartext Transmission of Sensitive Information vulnerability in Schneider-Electric products A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists which could leak sensitive information transmitted between the software and the Modicon M218, M241, M251, and M258 controllers. | 7.5 |
| 2020-04-22 | CVE-2020-7487 | Insufficient Verification of Data Authenticity vulnerability in Schneider-Electric products A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists which could allow the attacker to execute malicious code on the Modicon M218, M241, M251, and M258 controllers. | 9.8 |
| 2020-04-22 | CVE-2019-6859 | Use of Hard-coded Credentials vulnerability in Schneider-Electric products A CWE-798: Use of Hardcoded Credentials vulnerability exists in Modicon Controllers (All versions of the following CPUs and Communication Module product references listed in the Security Notifications), which could cause the disclosure of FTP hardcoded credentials when using the Web server of the controller on an unsecure network. | 7.5 |
| 2020-04-16 | CVE-2020-7486 | Resource Exhaustion vulnerability in Schneider-Electric products **VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause TCM modules to reset when under high network load in TCM v10.4.x and in system v10.3.x. | 7.5 |