Vulnerabilities > SE

DATE CVE VULNERABILITY TITLE RISK
2020-11-19 CVE-2020-7573 Improper Access Control vulnerability in SE Webreports 1.9/3.1
A CWE-284 Improper Access Control vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause a remote attacker being able to access a restricted web resources due to improper access control.
network
low complexity
se CWE-284
6.4
2020-11-19 CVE-2020-7572 XXE vulnerability in SE Webreports 1.9/3.1
A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser.
network
low complexity
se CWE-611
6.5
2020-11-19 CVE-2020-7571 Cross-Site Scripting vulnerability in SE Webreports 1.9/3.1
A CWE-79 Multiple Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Reflected) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause a remote attacker to inject arbitrary web script or HTML due to incorrect sanitization of user supplied data and achieve a Cross-Site Scripting reflected attack against other WebReport users.
network
se CWE-79
3.5
2020-11-19 CVE-2020-7570 Cross-Site Scripting vulnerability in SE Webreports 1.9/3.1
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users.
network
se CWE-79
3.5
2020-11-19 CVE-2020-7569 Unrestricted Upload of File With Dangerous Type vulnerability in SE Webreports 1.9/3.1
A CWE-434 Unrestricted Upload of File with Dangerous Type vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution.
network
low complexity
se CWE-434
6.5
2020-11-19 CVE-2020-7559 Classic Buffer Overflow vulnerability in SE Ecostruxure Control Expert
A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause a crash of the PLC simulator present in EcoStruxureª Control Expert software when receiving a specially crafted request over Modbus.
network
low complexity
se CWE-120
5.0
2020-11-19 CVE-2020-7544 Improper Privilege Management vulnerability in SE Operator Terminal Expert Runtime 3.1
A CWE-269 Improper Privilege Management vulnerability exists in EcoStruxureª Operator Terminal Expert runtime (Vijeo XD) that could cause privilege escalation on the workstation when interacting directly with a driver installed by the runtime software of EcoStruxureª Operator Terminal Expert.
local
low complexity
se CWE-269
7.2
2020-11-19 CVE-2020-7538 Improper Check for Unusual OR Exceptional Conditions vulnerability in SE Ecostruxure Control Expert
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause a crash of the PLC simulator present in EcoStruxureª Control Expert software when receiving a specially crafted request over Modbus.
network
low complexity
se CWE-754
5.0
2020-11-19 CVE-2020-28213 Download of Code Without Integrity Check vulnerability in SE Ecostruxure Control Expert
A CWE-494: Download of Code Without Integrity Check vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when sending specially crafted requests over Modbus.
network
low complexity
se CWE-494
6.5
2020-11-19 CVE-2020-28212 Improper Restriction of Excessive Authentication Attempts vulnerability in SE Ecostruxure Control Expert
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus.
network
low complexity
se CWE-307
7.5