Vulnerabilities > Schneider Electric > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-14 | CVE-2023-5629 | Open Redirect vulnerability in Schneider-Electric products A CWE-601:URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability exists that could cause disclosure of information through phishing attempts over HTTP. | 6.1 |
| 2023-12-14 | CVE-2023-5630 | Download of Code Without Integrity Check vulnerability in Schneider-Electric products A CWE-494: Download of Code Without Integrity Check vulnerability exists that could allow a privileged user to install an untrusted firmware. | 4.9 |
| 2023-11-15 | CVE-2023-5984 | Download of Code Without Integrity Check vulnerability in Schneider-Electric Ion8650 Firmware and Ion8800 Firmware A CWE-494 Download of Code Without Integrity Check vulnerability exists that could allow modified firmware to be uploaded when an authorized admin user begins a firmware update procedure which could result in full control over the device. | 4.9 |
| 2023-11-15 | CVE-2023-5985 | Cross-site Scripting vulnerability in Schneider-Electric Ion8650 Firmware and Ion8800 Firmware A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability exists that could cause compromise of a user’s browser when an attacker with admin privileges has modified system values. | 4.8 |
| 2023-11-15 | CVE-2023-5986 | Open Redirect vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert 2020/2021 A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. | 6.1 |
| 2023-11-15 | CVE-2023-5987 | Cross-site Scripting vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert 2020/2021 A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload. | 6.1 |
| 2023-11-15 | CVE-2023-6032 | Path Traversal vulnerability in Schneider-Electric Galaxy VL Firmware and Galaxy VS Firmware A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause a file system enumeration and file download when an attacker navigates to the Network Management Card via HTTPS. | 5.3 |
| 2023-08-09 | CVE-2023-3953 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Pro-Face Gp-Pro EX A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause memory corruption when an authenticated user opens a tampered log file from GP-Pro EX. | 5.3 |
| 2023-05-16 | CVE-2023-2161 | XXE vulnerability in Schneider-Electric OPC Factory Server A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. | 5.5 |
| 2023-04-19 | CVE-2023-25620 | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when a malicious project file is loaded onto the controller by an authenticated user. | 6.5 |