Vulnerabilities > Schneider Electric > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-10-04 CVE-2023-5399 Path Traversal vulnerability in Schneider-Electric Spacelogic C-Bus Toolkit
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using the File Command.
network
low complexity
schneider-electric CWE-22
critical
9.8
2023-10-04 CVE-2023-5391 Deserialization of Untrusted Data vulnerability in Schneider-Electric products
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.
network
low complexity
schneider-electric CWE-502
critical
9.8
2023-10-04 CVE-2023-5402 Improper Privilege Management vulnerability in Schneider-Electric C-Bus Toolkit
A CWE-269: Improper Privilege Management vulnerability exists that could cause a remote code execution when the transfer command is used over the network.
network
low complexity
schneider-electric CWE-269
critical
9.8
2023-05-22 CVE-2022-46680 Cleartext Transmission of Sensitive Information vulnerability in Schneider-Electric products
A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic.
network
low complexity
schneider-electric CWE-319
critical
9.8
2023-04-18 CVE-2023-28004 Improper Validation of Array Index vulnerability in Schneider-Electric Powerlogic Hdpm6000 Firmware
A CWE-129: Improper validation of an array index vulnerability exists where a specially crafted Ethernet request could result in denial of service or remote code execution.
network
low complexity
schneider-electric CWE-129
critical
9.8
2023-04-18 CVE-2023-29412 OS Command Injection vulnerability in Schneider-Electric products
A CWE-78: Improper Handling of Case Sensitivity vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface.
network
low complexity
schneider-electric CWE-78
critical
9.8
2023-04-18 CVE-2023-29411 Missing Authentication for Critical Function vulnerability in Schneider-Electric products
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface.
network
low complexity
schneider-electric CWE-306
critical
9.8
2023-04-18 CVE-2023-25550 Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows remote code execution via the “hostname” parameter when maliciously crafted hostname syntax is entered. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
network
low complexity
schneider-electric CWE-94
critical
9.8
2023-04-18 CVE-2023-25549 Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint.
network
low complexity
schneider-electric CWE-94
critical
9.8
2023-02-01 CVE-2022-42971 Unrestricted Upload of File with Dangerous Type vulnerability in Schneider-Electric products
A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file.
network
low complexity
schneider-electric CWE-434
critical
9.8