Filtered by vendor Schneider-electric Subscriptions
Total 762 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-4516 1 Schneider-electric 1 Interactive Graphical Scada System 2024-08-02 7.8 High
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Service that could allow a local attacker to change update source, potentially leading to remote code execution when the attacker force an update containing malicious content.
CVE-2023-3001 1 Schneider-electric 1 Igss Dashboard 2024-08-02 7.8 High
A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file.
CVE-2023-2570 1 Schneider-electric 1 Ecostruxure Foxboro Dcs Control Core Services 2024-08-02 7 High
A CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an unpredictable index to an IOCTL call in the Foxboro.sys driver.
CVE-2023-2569 1 Schneider-electric 1 Ecostruxure Foxboro Dcs Control Core Services 2024-08-02 7.8 High
A CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, elevation of privilege, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVE-2023-2161 1 Schneider-electric 1 Opc Factory Server 2024-08-02 5 Medium
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. 
CVE-2023-1548 1 Schneider-electric 1 Ecostruxure Control Expert 2024-08-02 5.5 Medium
A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to perform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products: EcoStruxure Control Expert (V15.1 and above)
CVE-2023-1049 1 Schneider-electric 2 Ecostruxure Operator Terminal Expert, Pro-face Blue 2024-08-02 7.8 High
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI.
CVE-2023-0595 1 Schneider-electric 4 Clearscada, Ecostruxure Geo Scada Expert 2019, Ecostruxure Geo Scada Expert 2020 and 1 more 2024-08-02 5.3 Medium
A CWE-117: Improper Output Neutralization for Logs vulnerability exists that could cause the misinterpretation of log files when malicious packets are sent to the Geo SCADA server's database web port (default 443). Affected products: EcoStruxure Geo SCADA Expert 2019, EcoStruxure Geo SCADA Expert 2020, EcoStruxure Geo SCADA Expert 2021(All Versions prior to October 2022), ClearSCADA (All Versions)
CVE-2024-37040 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-08-02 5.4 Medium
CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability exists that could allow a user with access to the device’s web interface to cause a fault on the device when sending a malformed HTTP request.
CVE-2024-37037 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-08-02 8.1 High
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability exists that could allow an authenticated user with access to the device’s web interface to corrupt files and impact device functionality when sending a crafted HTTP request.
CVE-2024-37039 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-08-02 5.9 Medium
CWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request.
CVE-2024-37038 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-08-02 7.5 High
CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.
CVE-2024-6528 1 Schneider-electric 10 Modicon Lmc058, Modicon Lmc058 Firmware, Modicon M241 and 7 more 2024-08-01 5.4 Medium
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a vulnerability leading to a cross-site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload.
CVE-2024-6407 1 Schneider-electric 2 Whc-5918a, Whc-5918a Firmware 2024-08-01 9.8 Critical
CWE-200: Information Exposure vulnerability exists that could cause disclosure of credentials when a specially crafted message is sent to the device.
CVE-2024-5681 1 Schneider-electric 1 Ecostruxure Foxboro Dcs Control Core Services 2024-08-01 7.8 High
CWE-20: Improper Input Validation vulnerability exists that could cause local denial-of-service, privilege escalation, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVE-2024-5680 1 Schneider-electric 1 Ecostruxure Foxboro Dcs Control Core Services 2024-08-01 7.1 High
CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVE-2024-5557 1 Schneider-electric 4 Spacelogic As-b, Spacelogic As-b Firmware, Spacelogic As-p and 1 more 2024-08-01 4.5 Medium
CWE-532: Insertion of Sensitive Information into Log File vulnerability exists that could cause exposure of SNMP credentials when an attacker has access to the controller logs.
CVE-2024-5679 1 Schneider-electric 1 Ecostruxure Foxboro Dcs Control Core Services 2024-08-01 7.1 High
CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, or kernel memory leak when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVE-2024-5560 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-08-01 5.3 Medium
CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the device’s web interface when an attacker sends a specially crafted HTTP request.
CVE-2024-5558 1 Schneider-electric 4 Spacelogic As-b, Spacelogic As-b Firmware, Spacelogic As-p and 1 more 2024-08-01 6.4 Medium
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could cause escalation of privileges when an attacker abuses a limited admin account.