CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 0CVE-2017-14024
https://notcve.org/view.php?id=CVE-2017-14024
A Stack-based Buffer Overflow issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions, and InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions. The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges. Se descubrió un problema de desbordamiento de búfer basado en pila en Schneider Electric InduSoft Web Studio v8.0 SP2 Patch 1 o anterior y en InTouch Machine Edition v8.0 SP2 Patch 1 o anterior. La vulnerabilidad de desbordamiento de búfer basado en pila ha sido identificada. Podría permitir la ejecución remota de código con altos privilegios. • http://www.securityfocus.com/bid/101779 https://ics-cert.us-cert.gov/advisories/ICSA-17-313-02 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2017-13997
https://notcve.org/view.php?id=CVE-2017-13997
A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 or prior, and InTouch Machine Edition v8.0 SP2 or prior. InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server. Se descubrió un problema de ausencia de autenticación para una función crítica en Schneider Electric InduSoft Web Studio v8.0 SP2 o anteriores y en InTouch Machine Edition v8.0 SP2 o anteriores. • http://www.securityfocus.com/bid/100952 https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2015-0997
https://notcve.org/view.php?id=CVE-2015-0997
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 provide an HMI user interface that lists all valid usernames, which makes it easier for remote attackers to obtain access via a brute-force password-guessing attack. Schneider Electric InduSoft Web Studio anterior a 7.1.3.4 SP3 Patch 4 y InTouch Machine Edition 2014 anterior a 7.1.3.4 SP3 Patch 4 proporcionan una interfaz de usuario HMI que lista todos los nombres de usuario válidos, lo que facilita a atacantes remotos obtener el acceso a través de un ataque de adivinación de contraseñas de fuerza bruta. • http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-01 http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-02 https://ics-cert.us-cert.gov/advisories/ICSA-15-085-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2015-0998
https://notcve.org/view.php?id=CVE-2015-0998
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 transmit cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. Schneider Electric InduSoft Web Studio anterior a 7.1.3.4 SP3 Patch 4 y InTouch Machine Edition 2014 anterior a 7.1.3.4 SP3 Patch 4 transmiten credenciales en texto claro, lo que permite a atacantes remotos obtener información sensible mediante la captura de trafico de la red. • http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-01 http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-02 https://ics-cert.us-cert.gov/advisories/ICSA-15-085-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0CVE-2015-0996
https://notcve.org/view.php?id=CVE-2015-0996
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive information by discovering this password. Schneider Electric InduSoft Web Studio anterior a 7.1.3.4 SP3 Patch 4 e InTouch Machine Edition 2014 anterior a 7.1.3.4 SP3 Patch 4 dependen de una contraseña de texto claro embebida para controlar el acceso de lectura a los ficheros de proyectos y de la configuración de proyectos, lo que facilita a usuarios locales obtener información sensible mediante el descubrimiento de esta contraseña. • http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-01 http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-02 https://ics-cert.us-cert.gov/advisories/ICSA-15-085-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •