CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7836 – Schneider Electric IIoT Monitor UpgradeMgmt upload Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-7836
An unrestricted Upload of File with Dangerous Type vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow upload and execution of malicious files. Existe una vulnerabilidad de subida sin restricción de archivos con tipos peligrosos en numerosos métodos del software de IIoT Monitor 3.1.38 que podría permitir la subida y ejecución de archivos maliciosos. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric IIoT Monitor. Authentication is required to exploit this vulnerability but authentication can be easily bypassed. The specific flaw exists within the processing of the upload method of the UpgradeMgmt servlet, which listens on port 8080 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. • http://www.securityfocus.com/bid/106484 https://www.schneider-electric.com/en/download/document/SEVD-2018-354-03 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 3%CPEs: 2EXPL: 1CVE-2018-7801
https://notcve.org/view.php?id=CVE-2018-7801
A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable access with maximum privileges when a remote code execution is performed. Existe una vulnerabilidad de inyección de código en EVLink Parking, en versiones v3.2.0-12_v1 y anteriores, lo que podría permitir el acceso con máximos privilegios cuando se ejecuta código de forma remota. • http://seclists.org/fulldisclosure/2021/Jul/32 http://www.securityfocus.com/bid/106807 https://ics-cert.us-cert.gov/advisories/ICSA-19-031-01 https://www.schneider-electric.com/en/download/document/SEVD-2018-354-01 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-7802
https://notcve.org/view.php?id=CVE-2018-7802
A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges. Existe una vulnerabilidad de inyección SQL en EVLink Parking, en versiones v3.2.0-12_v1 y anteriores, lo que podría otorgar acceso a la interfaz web con privilegios totales. • http://www.securityfocus.com/bid/106807 https://ics-cert.us-cert.gov/advisories/ICSA-19-031-01 https://www.schneider-electric.com/en/download/document/SEVD-2018-354-01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7837 – Schneider Electric IIoT Monitor RuleMgmt addRule XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2018-7837
An Improper Restriction of XML External Entity Reference ('XXE') vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information. Existe una vulnerabilidad de restricción incorrecta de XEE (XML External Entity) en numerosos métodos del software de IIoT Monitor 3.1.38 que podría permitir que el software resuelva documentos fuera de la esfera de control planeada, provocando que el software embeba documentos incorrectos en su entrada y exponga información restringida. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Schneider Electric IIoT Monitor. Authentication is not required to exploit this vulnerability. The specific flaw exists in the addRule method of the RuleMgmt servlet. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. • http://www.securityfocus.com/bid/106484 https://www.schneider-electric.com/en/download/document/SEVD-2018-354-03 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.7EPSS: 0%CPEs: 4EXPL: 0CVE-2018-7793
https://notcve.org/view.php?id=CVE-2018-7793
A Credential Management vulnerability exists in FoxView HMI SCADA (All Foxboro DCS, Foxboro Evo, and IA Series versions prior to Foxboro DCS Control Core Services 9.4 (CCS 9.4) and FoxView 10.5.) which could cause unauthorized disclosure, modification, or disruption in service when the password is modified without permission. Existe una vulnerabilidad de gestión de credenciales en FoxView HMI SCADA (todas las versiones de Foxboro DCS, Foxboro Evo e IA Series anteriores a Foxboro DCS Control Core Services 9.4 (CCS 9.4) y FoxView 10.5.) que podría permitir la divulgación, modificación o interrupción no autorizada del servicio cuando se modifica la contraseña sin permiso. • https://www.schneider-electric.com/en/download/document/SEVD-2018-353-03 •