Filtered by vendor Schneider-electric
Subscribe
Total
755 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7480 | 1 Schneider-electric | 22 Andover Continuum 5720, Andover Continuum 5720 Firmware, Andover Continuum 5740 and 19 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data. | |||||
| CVE-2020-7479 | 1 Schneider-electric | 1 Interactive Graphical Scada System | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a local user to execute processes that otherwise require escalation privileges when sending local network commands to the IGSS Update Service. | |||||
| CVE-2020-7478 | 1 Schneider-electric | 1 Interactive Graphical Scada System | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a remote unauthenticated attacker to read arbitrary files from the IGSS server PC on an unrestricted or shared network when the IGSS Update Service is enabled. | |||||
| CVE-2020-7477 | 1 Schneider-electric | 56 140cpu65150, 140cpu65150 Firmware, 140cpu65160 and 53 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Quantum Ethernet Network module 140NOE771x1 (Versions 7.0 and prior), Quantum processors with integrated Ethernet – 140CPU65xxxxx (all Versions), and Premium processors with integrated Ethernet (all Versions), which could cause a Denial of Service when sending a specially crafted command over Modbus. | |||||
| CVE-2020-7476 | 1 Schneider-electric | 1 Ulti Zigbee Installation Toolkit | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| A CWE-426: Untrusted Search Path vulnerability exists in ZigBee Installation Kit (Versions prior to 1.0.1), which could cause execution of malicious code when a malicious file is put in the search path. | |||||
| CVE-2020-7475 | 1 Schneider-electric | 6 Ecostruxure Control Expert, Modicon M340, Modicon M340 Firmware and 3 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), reflective DLL, vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10), which, if exploited, could allow attackers to transfer malicious code to the controller. | |||||
| CVE-2020-7474 | 1 Schneider-electric | 1 Pmepxm0100 Prosoft Configurator | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| A CWE-427: Uncontrolled Search Path Element vulnerability exists in ProSoft Configurator (v1.002 and prior), for the PMEPXM0100 (H) module, which could cause the execution of untrusted code when using double click to open a project file which may trigger execution of a malicious DLL. | |||||
| CVE-2020-28221 | 1 Schneider-electric | 42 Ecostruxure Operator Terminal Expert, Gp-4104g, Gp-4104w and 39 more | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
| A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI. | |||||
| CVE-2020-28220 | 1 Schneider-electric | 4 Modicon M258, Modicon M258 Firmware, Somachine and 1 more | 2024-11-21 | 5.2 MEDIUM | 6.8 MEDIUM |
| A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified. | |||||
| CVE-2020-28219 | 1 Schneider-electric | 2 Ecostruxure Geo Scada Expert 2019, Ecostruxure Geo Scada Expert 2020 | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX. | |||||
| CVE-2020-28218 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to trick a user into initiating an unintended action. | |||||
| CVE-2020-28217 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol. | |||||
| CVE-2020-28216 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol. | |||||
| CVE-2020-28215 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-862: Missing Authorization vulnerability exists in Easergy T300 (firmware 2.7 and older), that could cause a wide range of problems, including information exposures, denial of service, and arbitrary code execution when access control checks are not applied consistently. | |||||
| CVE-2020-28214 | 1 Schneider-electric | 2 Modicon M221, Modicon M221 Firmware | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide. | |||||
| CVE-2020-28213 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A CWE-494: Download of Code Without Integrity Check vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when sending specially crafted requests over Modbus. | |||||
| CVE-2020-28212 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus. | |||||
| CVE-2020-28211 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| A CWE-863: Incorrect Authorization vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause bypass of authentication when overwriting memory using a debugger. | |||||
| CVE-2020-28210 | 1 Schneider-electric | 1 Ecostruxure Building Operation | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in EcoStruxure Building Operation WebStation V2.0 - V3.1 that could cause an attacker to inject HTML and JavaScript code into the user's browser. | |||||
| CVE-2020-28209 | 2 Microsoft, Schneider-electric | 2 Windows, Enterprise Server Installer | 2024-11-21 | 4.4 MEDIUM | 7.0 HIGH |
| A CWE-428 Windows Unquoted Search Path vulnerability exists in EcoStruxure Building Operation Enterprise Server installer V1.9 - V3.1 and Enterprise Central installer V2.0 - V3.1 that could cause any local Windows user who has write permission on at least one of the subfolders of the Connect Agent service binary path, being able to gain the privilege of the user who started the service. By default, the Enterprise Server and Enterprise Central is always installed at a location requiring Administrator privileges so the vulnerability is only valid if the application has been installed on a non-secure location. | |||||