Filtered by vendor Schneider-electric
Subscribe
Total
675 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-9965 | 1 Schneider-electric | 1 Pelco Videoxpert | 2018-02-12 | 5.0 MEDIUM | 5.8 MEDIUM |
| An exposure of sensitive information vulnerability exists in Schneider Electric's Pelco VideoXpert Enterprise versions 2.0 and prior. Using a directory traversal attack, an unauthorized person can view web server files. | |||||
| CVE-2017-9964 | 1 Schneider-electric | 1 Pelco Videoxpert | 2018-02-12 | 5.8 MEDIUM | 6.9 MEDIUM |
| A Path Traversal issue was discovered in Schneider Electric Pelco VideoXpert Enterprise all versions prior to 2.1. By sniffing communications, an unauthorized person can execute a directory traversal attack resulting in authentication bypass or session hijack. | |||||
| CVE-2017-14024 | 1 Schneider-electric | 2 Wonderware Indusoft Web Studio, Wonderware Intouch | 2017-12-01 | 10.0 HIGH | 9.8 CRITICAL |
| A Stack-based Buffer Overflow issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions, and InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions. The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges. | |||||
| CVE-2017-7971 | 1 Schneider-electric | 3 Citect Anywhere, Powerscada Anywhere, Powerscada Expert | 2017-09-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 that allows the use of outdated cipher suites and improper verification of peer SSL Certificate. | |||||
| CVE-2017-7969 | 1 Schneider-electric | 3 Citect Anywhere, Powerscada Anywhere, Powerscada Expert | 2017-09-29 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack. | |||||
| CVE-2017-7973 | 1 Schneider-electric | 1 U.motion Builder | 2017-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which an unauthenticated user can use calls to various paths allowing performance of arbitrary SQL commands against the underlying database. | |||||
| CVE-2017-7974 | 1 Schneider-electric | 1 U.motion Builder | 2017-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| A path traversal information disclosure vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which an unauthenticated user can execute arbitrary code and exfiltrate files. | |||||
| CVE-2017-9956 | 1 Schneider-electric | 1 U.motion Builder | 2017-09-27 | 7.5 HIGH | 7.3 HIGH |
| An authentication bypass vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system contains a hard-coded valid session. An attacker can use that session ID as part of the HTTP cookie of a web request, resulting in authentication bypass | |||||
| CVE-2017-9957 | 1 Schneider-electric | 1 U.motion Builder | 2017-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the web service contains a hidden system account with a hardcoded password. An attacker can use this information to log into the system with high-privilege credentials. | |||||
| CVE-2017-9960 | 1 Schneider-electric | 1 U.motion Builder | 2017-09-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information disclosure vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system response to error provides more information than should be available to an unauthenticated user. | |||||
| CVE-2011-4859 | 1 Schneider-electric | 21 M340 Ethernet Module Bmxnoe0100, M340 Ethernet Module Bmxnoe0110, M340 Ethernet Module Bmxp342020 and 18 more | 2017-08-28 | 10.0 HIGH | N/A |
| The Schneider Electric Quantum Ethernet Module, as used in the Quantum 140NOE771* and 140CPU65* modules, the Premium TSXETY* and TSXP57* modules, the M340 BMXNOE01* and BMXP3420* modules, and the STB DIO STBNIC2212 and STBNIP2* modules, uses hardcoded passwords for the (1) AUTCSE, (2) AUT_CSE, (3) fdrusers, (4) ftpuser, (5) loader, (6) nic2212, (7) nimrohs2212, (8) nip2212, (9) noe77111_v500, (10) ntpupdate, (11) pcfactory, (12) sysdiag, (13) target, (14) test, (15) USER, and (16) webserver accounts, which makes it easier for remote attackers to obtain access via the (a) TELNET, (b) Windriver Debug, or (c) FTP port. | |||||
| CVE-2011-4035 | 1 Schneider-electric | 3 Citecthistorian, Citectscada Reports, Vijeo Historian | 2017-08-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Schneider Electric Vijeo Historian 4.30 and earlier, CitectHistorian 4.30 and earlier, and CitectSCADAReports 4.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2011-3330 | 1 Schneider-electric | 6 Monitor Pro, Opc Factory Server, Pl7 Pro and 3 more | 2017-08-28 | 7.2 HIGH | N/A |
| Buffer overflow in the UnitelWay Windows Device Driver, as used in Schneider Electric Unity Pro 6 and earlier, OPC Factory Server 3.34, Vijeo Citect 7.20 and earlier, Telemecanique Driver Pack 2.6 and earlier, Monitor Pro 7.6 and earlier, and PL7 Pro 4.5 and earlier, allows local users, and possibly remote attackers, to execute arbitrary code via an unspecified system parameter. | |||||
| CVE-2017-6019 | 1 Schneider-electric | 2 Conext Combox 865-1058, Conext Combox 865-1058 Firmware | 2017-08-15 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered in Schneider Electric Conext ComBox, model 865-1058, all firmware versions prior to V3.03 BN 830. A series of rapid requests to the device may cause it to reboot. | |||||
| CVE-2017-7907 | 1 Schneider-electric | 1 Wonderware Historian Client | 2017-07-07 | 3.3 LOW | 6.6 MEDIUM |
| An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. An improperly restricted XML parser (with improper restriction of XML external entity reference, or XXE) may allow an attacker to enter malicious input through the application which could cause a denial of service or disclose file contents from a server or connected network. | |||||
| CVE-2017-7967 | 1 Schneider-electric | 1 Vampset | 2017-05-22 | 2.1 LOW | 5.5 MEDIUM |
| All versions of VAMPSET software produced by Schneider Electric, prior to V2.2.189, are susceptible to a memory corruption vulnerability when a corrupted vf2 file is used. This vulnerability causes the software to halt or not start when trying to open the corrupted file. This vulnerability occurs when fill settings are intentionally malformed and is opened in a standalone state, without connection to a protection relay. This attack is not considered to be remotely exploitable. This vulnerability has no effect on the operation of the protection relay to which VAMPSET is connected. As Windows operating system remains operational and VAMPSET responds, it is able to be shut down through its normal closing protocol. | |||||
| CVE-2017-7575 | 1 Schneider-electric | 2 Modicon Tm221ce16r, Modicon Tm221ce16r Firmware | 2017-04-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote attackers to discover the application-protection password via a \x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00 request to the Modbus port (502/tcp). Subsequently the application may be arbitrarily downloaded, modified, and uploaded. | |||||
| CVE-2016-8354 | 1 Schneider-electric | 1 Unity Pro | 2017-03-15 | 5.1 MEDIUM | 7.0 HIGH |
| An issue was discovered in Schneider Electric Unity PRO prior to V11.1. Unity projects can be compiled as x86 instructions and loaded onto the PLC Simulator delivered with Unity PRO. These x86 instructions are subsequently executed directly by the simulator. A specially crafted patched Unity project file can make the simulator execute malicious code by redirecting the control flow of these instructions. | |||||
| CVE-2016-8352 | 1 Schneider-electric | 6 Connexium Firmware, Tcsefec23f3f20, Tcsefec23f3f21 and 3 more | 2017-03-15 | 7.5 HIGH | 10.0 CRITICAL |
| An issue was discovered in Schneider Electric ConneXium firewalls TCSEFEC23F3F20 all versions, TCSEFEC23F3F21 all versions, TCSEFEC23FCF20 all versions, TCSEFEC23FCF21 all versions, and TCSEFEC2CF3F20 all versions. A stack-based buffer overflow can be triggered during the SNMP login authentication process that may allow an attacker to remotely execute code. | |||||
| CVE-2016-5815 | 1 Schneider-electric | 6 Ion5000, Ion7300, Ion7500 and 3 more | 2017-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. No authentication is configured by default. An unauthorized user can access the device management portal and make configuration changes. | |||||