Vulnerabilities > Schneider Electric > Struxureware Data Center Expert > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-12 | CVE-2023-37199 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. | 7.2 |
| 2023-07-12 | CVE-2023-37196 | SQL Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the alert settings of endpoints on DCE. | 8.8 |
| 2023-07-12 | CVE-2023-37197 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the mass configuration settings of endpoints on DCE. | 8.8 |
| 2023-07-12 | CVE-2023-37198 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages. | 7.2 |
| 2023-04-18 | CVE-2023-25547 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. | 8.8 |
| 2023-04-18 | CVE-2023-25552 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. | 8.1 |
| 2023-04-18 | CVE-2023-25554 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | 7.8 |
| 2023-04-18 | CVE-2023-25555 | Unspecified vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. | 8.1 |
| 2018-11-30 | CVE-2018-7807 | Path Traversal vulnerability in Schneider-Electric Struxureware Data Center Expert Data Center Expert, versions 7.5.0 and earlier, allows for the upload of a zip file from its user interface to the server. | 8.8 |
| 2018-05-23 | CVE-2018-1124 | Integer Overflow or Wraparound vulnerability in multiple products procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. | 7.8 |