Vulnerabilities > Schneider Electric > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-15 | CVE-2023-5985 | Unspecified vulnerability in Schneider-Electric Ion8650 Firmware and Ion8800 Firmware A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability exists that could cause compromise of a user’s browser when an attacker with admin privileges has modified system values. | 4.8 |
| 2023-11-15 | CVE-2023-5986 | Open Redirect vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert 2020/2021 A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. | 6.1 |
| 2023-11-15 | CVE-2023-5987 | Unspecified vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert 2020/2021 A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload. | 6.1 |
| 2023-11-15 | CVE-2023-6032 | Unspecified vulnerability in Schneider-Electric Galaxy VL Firmware and Galaxy VS Firmware A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause a file system enumeration and file download when an attacker navigates to the Network Management Card via HTTPS. | 5.3 |
| 2023-08-09 | CVE-2023-3953 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Pro-Face Gp-Pro EX A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause memory corruption when an authenticated user opens a tampered log file from GP-Pro EX. | 5.3 |
| 2023-05-16 | CVE-2023-2161 | XXE vulnerability in Schneider-Electric OPC Factory Server A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. | 5.5 |
| 2023-04-19 | CVE-2023-25620 | Unspecified vulnerability in Schneider-Electric products A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when a malicious project file is loaded onto the controller by an authenticated user. | 6.5 |
| 2023-04-18 | CVE-2022-43378 | Unspecified vulnerability in Schneider-Electric products A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause the user to be tricked into performing unintended actions when external address frames are not properly restricted. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | 6.5 |
| 2023-04-18 | CVE-2023-25548 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. | 6.5 |
| 2023-04-18 | CVE-2023-25551 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | 6.1 |