Vulnerabilities > Schneider Electric > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-04 | CVE-2022-22724 | Resource Exhaustion vulnerability in Schneider-Electric products A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. | 5.0 |
| 2022-02-04 | CVE-2022-22726 | Improper Input Validation vulnerability in Schneider-Electric Ecostruxure Power Monitoring Expert A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account. | 4.0 |
| 2022-01-28 | CVE-2021-22807 | Out-of-bounds Write vulnerability in Schneider-Electric Guicon 2.0 A CWE-787: Out-of-bounds Write vulnerability exists that could cause arbitrary code execution when a malicious *.gd1 configuration file is loaded into the GUIcon tool. | 6.8 |
| 2022-01-28 | CVE-2021-22808 | Use After Free vulnerability in Schneider-Electric Guicon 2.0 A CWE-416: Use After Free vulnerability exists that could cause arbitrary code execution when a malicious *.gd1 configuration file is loaded into the GUIcon tool. | 6.8 |
| 2022-01-28 | CVE-2021-22809 | Out-of-bounds Read vulnerability in Schneider-Electric Guicon 2.0 A CWE-125:Out-of-Bounds Read vulnerability exists that could cause unintended data disclosure when a malicious *.gd1 configuration file is loaded into the GUIcon tool. | 4.3 |
| 2022-01-28 | CVE-2021-22810 | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause arbritrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC pointing to a delete policy file. | 4.3 |
| 2022-01-28 | CVE-2021-22811 | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause script execution when the request of a privileged account accessing the vulnerable web page is intercepted. | 4.3 |
| 2022-01-28 | CVE-2021-22812 | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause arbritrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC. | 4.3 |
| 2022-01-28 | CVE-2021-22813 | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause arbritrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC pointing to an edit policy file. | 4.3 |
| 2022-01-28 | CVE-2021-22814 | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists which could cause arbritrary script execution when a malicious file is read and displayed. | 4.3 |