Vulnerabilities > Schneider Electric > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-19 | CVE-2020-28210 | Unspecified vulnerability in Schneider-Electric Ecostruxure Building Operation 2.0/3.1 A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in EcoStruxure Building Operation WebStation V2.0 - V3.1 that could cause an attacker to inject HTML and JavaScript code into the user's browser. | 6.1 |
| 2020-09-16 | CVE-2020-7529 | Unspecified vulnerability in Schneider-Electric Scadapack 7X Remote Connect 3.6.3.574 A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Transversal') vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows an attacker to place content in any unprotected folder on the target system using a crafted .RCZ file. | 5.5 |
| 2020-07-23 | CVE-2020-7520 | Open Redirect vulnerability in Schneider-Electric Software Update Utility A CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim's machine. | 4.7 |
| 2020-07-23 | CVE-2020-7517 | Cleartext Storage of Sensitive Information vulnerability in Schneider-Electric Easergy Builder 1.4.7.2 A CWE-312: Cleartext Storage of Sensitive Information vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker to read user credentials. | 5.5 |
| 2020-06-16 | CVE-2020-7504 | Improper Input Validation vulnerability in Schneider-Electric Easergy T300 Firmware 1.5.2 A CWE-20: Improper Input Validation vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to disable the webserver service on the device when specially crafted network packets are sent. | 5.3 |
| 2020-06-16 | CVE-2020-7499 | Incorrect Authorization vulnerability in Schneider-Electric products A CWE-863: Incorrect Authorization vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause unauthorized access when a low privileged user makes unauthorized changes. | 6.5 |
| 2020-06-16 | CVE-2020-7495 | Path Traversal vulnerability in Schneider-Electric Ecostruxure Operator Terminal Expert 3.0/3.1 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability during zip file extraction exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause unauthorized write access outside of expected path folder when opening the project file. | 5.5 |
| 2020-06-16 | CVE-2020-7492 | Weak Password Requirements vulnerability in Schneider-Electric Gp-Pro EX Firmware 1.00/4.08.200/4.09.120 A CWE-521: Weak Password Requirements vulnerability exists in the GP-Pro EX V1.00 to V4.09.100 which could cause the discovery of the password when the user is entering the password because it is not masqueraded. | 6.5 |
| 2020-03-23 | CVE-2020-7482 | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andover Continuum (All versions), which could cause a Reflective Cross-site Scripting (XSS attack) when using the products' web server. | 6.1 |
| 2020-03-23 | CVE-2020-7481 | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andover Continuum (All versions), which could enable a successful Cross-site Scripting (XSS attack) when using the products' web server. | 6.1 |