Vulnerabilities > Schneider Electric > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-09-02 | CVE-2021-22792 | Unspecified vulnerability in Schneider-Electric products A CWE-476: NULL Pointer Dereference vulnerability that could cause a Denial of Service on the Modicon PLC controller / simulator when updating the controller application with a specially crafted project file exists in Modicon M580 CPU (part numbers BMEP* and BMEH*, all versions), Modicon M340 CPU (part numbers BMXP34*, all versions), Modicon MC80 (part numbers BMKC80*, all versions), Modicon Momentum Ethernet CPU (part numbers 171CBU*, all versions), PLC Simulator for EcoStruxureª Control Expert, including all Unity Pro versions (former name of EcoStruxureª Control Expert, all versions), PLC Simulator for EcoStruxureª Process Expert including all HDCS versions (former name of EcoStruxureª Process Expert, all versions), Modicon Quantum CPU (part numbers 140CPU*, all versions), Modicon Premium CPU (part numbers TSXP5*, all versions). | 7.5 |
| 2021-09-02 | CVE-2021-22793 | Unspecified vulnerability in Schneider-Electric products A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exist in AccuSine PCS+ / PFV+ (Versions prior to V1.6.7) and AccuSine PCSn (Versions prior to V2.2.4) that could allow an authenticated attacker to access the device via FTP protocol. | 7.2 |
| 2021-07-21 | CVE-2021-22708 | Unspecified vulnerability in Schneider-Electric products A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to craft a malicious firmware package and bypass the signature verification mechanism. | 7.2 |
| 2021-07-21 | CVE-2021-22726 | Unspecified vulnerability in Schneider-Electric products A CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to perform unintended actions or access to data when crafted malicious parameters are submitted to the charging station web server. | 8.1 |
| 2021-07-21 | CVE-2021-22771 | Unspecified vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2/2.7/2.7.1 A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution. | 7.3 |
| 2021-07-21 | CVE-2021-22774 | Use of Password Hash With Insufficient Computational Effort vulnerability in Schneider-Electric products A CWE-759: Use of a One-Way Hash without a Salt vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could lead an attacker to get knowledge of charging station user account credentials using dictionary attacks techniques. | 7.5 |
| 2021-07-21 | CVE-2021-22777 | Unspecified vulnerability in Schneider-Electric Sosafe Configurable A CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause code execution by opening a malicious project file. | 7.8 |
| 2021-07-14 | CVE-2021-22778 | Unspecified vulnerability in Schneider-Electric products Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause protected derived function blocks to be read or modified by unauthorized users when accessing a project file. | 7.1 |
| 2021-07-14 | CVE-2021-22780 | Unspecified vulnerability in Schneider-Electric products Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause unauthorized access to a project file protected by a password when this file is shared with untrusted sources. | 7.1 |
| 2021-06-11 | CVE-2021-22750 | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System A CWE-787: Out-of-bounds write vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21041 and prior that could result in loss of data or remote code execution due to missing length checks, when a malicious CGF file is imported to IGSS Definition. | 7.8 |