Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-18 | CVE-2023-25553 | Cross-site Scripting vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. | 6.1 |
| 2023-04-18 | CVE-2023-25554 | OS Command Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | 7.8 |
| 2023-04-18 | CVE-2023-25555 | OS Command Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. | 8.1 |
| 2023-04-18 | CVE-2023-29411 | Missing Authentication for Critical Function vulnerability in Schneider-Electric products A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface. | 9.8 |
| 2023-04-18 | CVE-2023-29412 | OS Command Injection vulnerability in Schneider-Electric products CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface. | 9.8 |
| 2023-04-18 | CVE-2023-29413 | Missing Authentication for Critical Function vulnerability in Schneider-Electric products A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service. | 7.5 |
| 2023-04-18 | CVE-2022-34755 | Uncontrolled Search Path Element vulnerability in Schneider-Electric Easergy Builder Installer A CWE-427 - Uncontrolled Search Path Element vulnerability exists that could allow an attacker with a local privileged account to place a specially crafted file on the target machine, which may give the attacker the ability to execute arbitrary code during the installation process initiated by a valid user. | 6.7 |
| 2023-04-18 | CVE-2022-43376 | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause code and session manipulation when malicious code is inserted into the browser. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | 6.1 |
| 2023-04-18 | CVE-2022-43377 | Improper Restriction of Excessive Authentication Attempts vulnerability in Schneider-Electric products A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover when a brute force attack is performed on the account. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | 7.5 |
| 2023-04-18 | CVE-2023-25556 | Improper Authentication vulnerability in Schneider-Electric products A CWE-287: Improper Authentication vulnerability exists that could allow a device to be compromised when a key of less than seven digits is entered and the attacker has access to the KNX installation. | 8.8 |