Vulnerabilities > Schneider Electric
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-01 | CVE-2022-42970 | Missing Authentication for Critical Function vulnerability in Schneider-Electric products A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. | 9.8 |
| 2023-02-01 | CVE-2022-42971 | Unrestricted Upload of File with Dangerous Type vulnerability in Schneider-Electric products A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. | 9.8 |
| 2023-02-01 | CVE-2022-42972 | Incorrect Permission Assignment for Critical Resource vulnerability in Schneider-Electric products A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could cause local privilege escalation when a local attacker modifies the webroot directory. | 7.8 |
| 2023-02-01 | CVE-2022-42973 | Use of Hard-coded Credentials vulnerability in Schneider-Electric products A CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause local privilege escalation when local attacker connects to the database. | 7.8 |
| 2023-02-01 | CVE-2022-4062 | Improper Authorization vulnerability in Schneider-Electric Ecostruxure Power Commission A CWE-285: Improper Authorization vulnerability exists that could cause unauthorized access to certain software functions when an attacker gets access to localhost interface of the EcoStruxure Power Commission application. | 3.3 |
| 2023-01-31 | CVE-2023-22610 | Incorrect Authorization vulnerability in Schneider-Electric products A CWE-863: Incorrect Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP port. | 7.5 |
| 2023-01-31 | CVE-2023-22611 | Unspecified vulnerability in Schneider-Electric products A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause information disclosure when specific messages are sent to the server over the database server TCP port. | 7.5 |
| 2023-01-31 | CVE-2022-45789 | Authentication Bypass by Capture-replay vulnerability in Schneider-Electric products A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. | 9.8 |
| 2023-01-30 | CVE-2022-0223 | Path Traversal vulnerability in Schneider-Electric Ecostruxure Power Commission A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. | 9.8 |
| 2023-01-30 | CVE-2022-22731 | Path Traversal vulnerability in Schneider-Electric Ecostruxure Power Commission A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in a function that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause path traversal attacks. | 9.8 |