Vulnerabilities > Schneider Electric > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-31 | CVE-2020-7521 | Unspecified vulnerability in Schneider-Electric APC Easy UPS Online Software 2.0 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in SFAPV9601 - APC Easy UPS On-Line Software (V2.0 and earlier) when accessing a vulnerable method of `FileUploadServlet` which may lead to uploading executable files to non-specified directories. | 9.8 |
| 2020-06-16 | CVE-2020-7512 | Unspecified vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2 A CWE-1103: Use of Platform-Dependent Third Party Components with vulnerabilities vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to exploit the component. | 9.8 |
| 2020-06-16 | CVE-2020-7508 | Improper Restriction of Excessive Authentication Attempts vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2 A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to gain full access by brute force. | 9.8 |
| 2020-06-16 | CVE-2020-7500 | SQL Injection vulnerability in Schneider-Electric products A CWE-89:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause arbitrary code to be executed when a malicious command is entered. | 9.8 |
| 2020-06-16 | CVE-2020-7498 | Use of Hard-coded Credentials vulnerability in Schneider-Electric OS Loader and Unity Loader A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). | 9.8 |
| 2020-06-16 | CVE-2020-7497 | Path Traversal vulnerability in Schneider-Electric Ecostruxure Operator Terminal Expert 3.0/3.1 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause arbitrary application execution when the computer starts. | 9.8 |
| 2020-04-22 | CVE-2020-7489 | Injection vulnerability in Schneider-Electric products A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert – Basic or SoMachine Basic programming software (versions in security notification). | 9.8 |
| 2020-04-22 | CVE-2020-7487 | Insufficient Verification of Data Authenticity vulnerability in Schneider-Electric products A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists which could allow the attacker to execute malicious code on the Modicon M218, M241, M251, and M258 controllers. | 9.8 |
| 2020-04-16 | CVE-2020-7485 | Unspecified vulnerability in Schneider-Electric Tristation 1131 **VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy support account in the TriStation software version v4.9.0 and earlier could cause improper access to the TriStation host machine. | 9.8 |
| 2020-03-23 | CVE-2020-7480 | Code Injection vulnerability in Schneider-Electric products A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data. | 9.8 |