CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-5987
https://notcve.org/view.php?id=CVE-2023-5987
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload. Una vulnerabilidad CWE-79: Neutralización Inadecuada de la Entrada Durante la Generación de Páginas Web (Cross-site Scripting) que podría causar una vulnerabilidad que conduzca a una condición de Cross-Site Scripting donde los atacantes pueden hacer que el navegador de la víctima ejecute JavaScript arbitrario cuando visitan una página que contiene un payload inyectado. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-02.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 0CVE-2023-5986
https://notcve.org/view.php?id=CVE-2023-5986
A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the software’s web application to redirect to the chosen domain after a successful login is performed. Existe una vulnerabilidad CWE-601: Redireccionamiento de URL a un Sitio que No es de Confianza que podría causar una vulnerabilidad de openredirect que conduzca a un ataque de cross site scripting. Al proporcionar una entrada codificada en URL, los atacantes pueden hacer que la aplicación web del software se redirija al dominio elegido después de iniciar sesión correctamente. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-02.pdf • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5391 – Schneider Electric EcoStruxure Power Monitoring Expert GetFilteredSinkProvider Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-5391
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application. CWE-502: Existe una vulnerabilidad deserialización de datos no confiables que podría permitir a un atacante ejecutar código arbitrario en el sistema objetivo enviando un paquete específicamente manipulado a la aplicación. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric EcoStruxure Power Monitoring Expert. Authentication is not required to exploit this vulnerability. The specific flaw exists within the GetFilteredSinkProvider method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28003
https://notcve.org/view.php?id=CVE-2023-28003
A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-073-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-073-01.pdf • CWE-613: Insufficient Session Expiration •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22804
https://notcve.org/view.php?id=CVE-2022-22804
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior) Una CWE-79: Se presenta una vulnerabilidad de Neutralización Inapropiada de la Entrada Durante la Generación de la Página Web ("Cross-site Scripting") que podría permitir a un atacante autenticado visualizar datos, cambiar la configuración o afectar a la disponibilidad del software cuando el usuario visita una página que contiene la carga útil inyectada. Producto afectado: EcoStruxure Power Monitoring Expert (Versiones 2020 y anteriores) • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •