Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-04-16 | CVE-2020-7485 | Unspecified vulnerability in Schneider-Electric Tristation 1131 **VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy support account in the TriStation software version v4.9.0 and earlier could cause improper access to the TriStation host machine. | 9.8 |
| 2020-04-16 | CVE-2020-7484 | Unspecified vulnerability in Schneider-Electric Tristation 1131 **VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability with the former 'password' feature could allow a denial of service attack if the user is not following documented guidelines pertaining to dedicated TriStation connection and key-switch protection. | 7.5 |
| 2020-04-16 | CVE-2020-7483 | Cleartext Transmission of Sensitive Information vulnerability in Schneider-Electric Tristation 1131 **VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause certain data to be visible on the network when the 'password' feature is enabled. | 7.5 |
| 2020-03-23 | CVE-2020-7482 | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andover Continuum (All versions), which could cause a Reflective Cross-site Scripting (XSS attack) when using the products' web server. | 6.1 |
| 2020-03-23 | CVE-2020-7481 | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andover Continuum (All versions), which could enable a successful Cross-site Scripting (XSS attack) when using the products' web server. | 6.1 |
| 2020-03-23 | CVE-2020-7480 | Code Injection vulnerability in Schneider-Electric products A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data. | 9.8 |
| 2020-03-23 | CVE-2020-7479 | Missing Authentication for Critical Function vulnerability in Schneider-Electric Interactive Graphical Scada System 14.0/14.0.0.19120 A CWE-306: Missing Authentication for Critical Function vulnerability exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a local user to execute processes that otherwise require escalation privileges when sending local network commands to the IGSS Update Service. | 7.8 |
| 2020-03-23 | CVE-2020-7478 | Path Traversal vulnerability in Schneider-Electric Interactive Graphical Scada System 14.0/14.0.0.19120 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a remote unauthenticated attacker to read arbitrary files from the IGSS server PC on an unrestricted or shared network when the IGSS Update Service is enabled. | 7.5 |
| 2020-03-23 | CVE-2020-7477 | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Quantum Ethernet Network module 140NOE771x1 (Versions 7.0 and prior), Quantum processors with integrated Ethernet – 140CPU65xxxxx (all Versions), and Premium processors with integrated Ethernet (all Versions), which could cause a Denial of Service when sending a specially crafted command over Modbus. | 7.5 |
| 2020-03-23 | CVE-2020-7476 | Untrusted Search Path vulnerability in Schneider-Electric Ulti Zigbee Installation Toolkit A CWE-426: Untrusted Search Path vulnerability exists in ZigBee Installation Kit (Versions prior to 1.0.1), which could cause execution of malicious code when a malicious file is put in the search path. | 7.8 |