Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-18 | CVE-2023-25551 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | 6.1 |
| 2023-04-18 | CVE-2023-25552 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. | 8.1 |
| 2023-04-18 | CVE-2023-25553 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. | 6.1 |
| 2023-04-18 | CVE-2023-25554 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | 7.8 |
| 2023-04-18 | CVE-2023-25555 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. | 8.1 |
| 2023-04-18 | CVE-2023-29411 | Missing Authentication for Critical Function vulnerability in Schneider-Electric products A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface. | 9.8 |
| 2023-04-18 | CVE-2023-29412 | Unspecified vulnerability in Schneider-Electric products CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface. | 9.8 |
| 2023-04-18 | CVE-2023-29413 | Unspecified vulnerability in Schneider-Electric products A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service. | 7.5 |
| 2023-04-18 | CVE-2022-34755 | Unspecified vulnerability in Schneider-Electric Easergy Builder Installer A CWE-427 - Uncontrolled Search Path Element vulnerability exists that could allow an attacker with a local privileged account to place a specially crafted file on the target machine, which may give the attacker the ability to execute arbitrary code during the installation process initiated by a valid user. | 6.7 |
| 2023-04-18 | CVE-2022-43376 | Unspecified vulnerability in Schneider-Electric products A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause code and session manipulation when malicious code is inserted into the browser. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | 6.1 |