Vulnerabilities > Schneider Electric > Struxureware Data Center Expert > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-12 | CVE-2023-37199 | Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. | 7.2 |
| 2023-07-12 | CVE-2023-37196 | SQL Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the alert settings of endpoints on DCE. | 8.8 |
| 2023-07-12 | CVE-2023-37197 | SQL Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the mass configuration settings of endpoints on DCE. | 8.8 |
| 2023-07-12 | CVE-2023-37198 | Code Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages. | 7.2 |
| 2023-04-18 | CVE-2023-25547 | Incorrect Authorization vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. | 8.8 |
| 2023-04-18 | CVE-2023-25552 | Missing Authorization vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. | 8.1 |
| 2023-04-18 | CVE-2023-25554 | OS Command Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | 7.8 |
| 2023-04-18 | CVE-2023-25555 | OS Command Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. | 8.1 |
| 2022-04-13 | CVE-2021-22794 | Path Traversal vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution. | 7.5 |
| 2022-04-13 | CVE-2021-22795 | OS Command Injection vulnerability in Schneider-Electric Struxureware Data Center Expert A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when performed over the network. | 7.5 |