Vulnerabilities > Schneider Electric > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-12 | CVE-2023-37199 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. | 7.2 |
| 2023-07-12 | CVE-2023-37196 | SQL Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the alert settings of endpoints on DCE. | 8.8 |
| 2023-07-12 | CVE-2023-37197 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the mass configuration settings of endpoints on DCE. | 8.8 |
| 2023-07-12 | CVE-2023-37198 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages. | 7.2 |
| 2023-06-14 | CVE-2023-1049 | Code Injection vulnerability in Schneider-Electric products A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI. | 7.8 |
| 2023-06-14 | CVE-2023-2569 | Unspecified vulnerability in Schneider-Electric Ecostruxure Foxboro DCS Control Core Services A CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, elevation of privilege, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver. | 7.8 |
| 2023-06-14 | CVE-2023-2570 | Unspecified vulnerability in Schneider-Electric Ecostruxure Foxboro DCS Control Core Services A CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an unpredictable index to an IOCTL call in the Foxboro.sys driver. | 7.8 |
| 2023-06-14 | CVE-2023-3001 | Unspecified vulnerability in Schneider-Electric Igss Dashboard 16.0.0.23040/16.0.0.23130 A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file. | 7.8 |
| 2023-04-19 | CVE-2023-25619 | Unspecified vulnerability in Schneider-Electric products A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when communicating over the Modbus TCP protocol. | 7.5 |
| 2023-04-18 | CVE-2023-29410 | Unspecified vulnerability in Schneider-Electric products A CWE-20: Improper Input Validation vulnerability exists that could allow an authenticated attacker to gain the same privilege as the application on the server when a malicious payload is provided over HTTP for the server to execute. | 8.8 |