Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-11-30 | CVE-2018-7831 | Cross-Site Request Forgery (CSRF) vulnerability in Schneider-Electric products An Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 allowing an attacker to send a specially crafted URL to a currently authenticated web server user to execute a password change on the web server. | 4.3 |
| 2018-11-30 | CVE-2018-7830 | HTTP Response Splitting vulnerability in Schneider-Electric products Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a denial of service can occur for ~1 minute by sending a specially crafted HTTP request. | 5.0 |
| 2018-11-30 | CVE-2018-7811 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Schneider-Electric products An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the change password function of the web server | 5.0 |
| 2018-11-30 | CVE-2018-7810 | Cross-site Scripting vulnerability in Schneider-Electric products An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 allowing an attacker to craft a URL containing JavaScript that will be executed within the user's browser, potentially impacting the machine the browser is running on. | 4.3 |
| 2018-11-30 | CVE-2018-7809 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Schneider-Electric products An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the password delete function of the web server. | 6.4 |
| 2018-11-30 | CVE-2018-7807 | Path Traversal vulnerability in Schneider-Electric Struxureware Data Center Expert Data Center Expert, versions 7.5.0 and earlier, allows for the upload of a zip file from its user interface to the server. | 6.5 |
| 2018-11-30 | CVE-2018-7806 | Path Traversal vulnerability in Schneider-Electric Struxureware Data Center Operation Data Center Operation allows for the upload of a zip file from its user interface to the server. | 6.5 |
| 2018-11-02 | CVE-2018-7799 | Uncontrolled Search Path Element vulnerability in Schneider-Electric Software Update Utility 1.0/1.0.13/1.1 A DLL hijacking vulnerability exists in Schneider Electric Software Update (SESU), all versions prior to V2.2.0, which could allow an attacker to execute arbitrary code on the targeted system when placing a specific DLL file. | 9.3 |
| 2018-11-02 | CVE-2018-7798 | Insufficient Verification of Data Authenticity vulnerability in Schneider-Electric Somachine Basic A Insufficient Verification of Data Authenticity (CWE-345) vulnerability exists in the Modicon M221, all versions, which could cause a change of IPv4 configuration (IP address, mask and gateway) when remotely connected to the device. | 6.4 |
| 2018-08-29 | CVE-2018-7792 | Missing Authorization vulnerability in Schneider-Electric Modicon M221 Firmware 1.1.1.5 A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). | 5.0 |