CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7907
https://notcve.org/view.php?id=CVE-2017-7907
An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. An improperly restricted XML parser (with improper restriction of XML external entity reference, or XXE) may allow an attacker to enter malicious input through the application which could cause a denial of service or disclose file contents from a server or connected network. Se ha detectado un problema de configuración del analizador XML incorrecto en el historial de clientes de Schneider Electric Wonderware Historian Client 2014 R2 SP1 y anterior. Un analizador XML incorrectamente restringido (con una restricción incorrecta de referencia de entidad externa XML o XXE) puede permitir que un intruso ingrese una entrada malintencionada a través de la aplicación que podría causar una denegación de servicio o revelar el contenido de un servidor o de una red conectada. • http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000120 http://www.securityfocus.com/bid/98254 http://www.securitytracker.com/id/1038542 https://ics-cert.us-cert.gov/advisories/ICSA-17-122-01 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7967
https://notcve.org/view.php?id=CVE-2017-7967
All versions of VAMPSET software produced by Schneider Electric, prior to V2.2.189, are susceptible to a memory corruption vulnerability when a corrupted vf2 file is used. This vulnerability causes the software to halt or not start when trying to open the corrupted file. This vulnerability occurs when fill settings are intentionally malformed and is opened in a standalone state, without connection to a protection relay. This attack is not considered to be remotely exploitable. This vulnerability has no effect on the operation of the protection relay to which VAMPSET is connected. • http://www.schneider-electric.com/en/download/document/SEVD-2017-061-01 http://www.securityfocus.com/bid/97124 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8371
https://notcve.org/view.php?id=CVE-2017-8371
Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors. Schneider Electric StruxureWare Data Center Expert anterior a 7.4.0 utiliza el almacenamiento en memoria RAM de texto claro para contraseñas, lo que podría permitir a los atacantes remotos obtener información confidencial a través de vectores no especificados. • http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-343-01 http://www.datacenterdynamics.com/content-tracks/security-risk/schneider-patches-critical-vulnerability-in-struxureware-dcim/97738.fullarticle • CWE-522: Insufficiently Protected Credentials •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7689
https://notcve.org/view.php?id=CVE-2017-7689
A Command Injection vulnerability in Schneider Electric homeLYnk Controller exists in all versions before 1.5.0. Existe una vulnerabilidad de Command Injection en Schneider Electric. El controlador HOMELYnk existe en todas las versiones anteriores a 1.5.0. • http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-052-02 http://www.securityfocus.com/bid/97585 https://ics-cert.us-cert.gov/advisories/ICSA-17-019-01A • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6033
https://notcve.org/view.php?id=CVE-2017-6033
A DLL Hijacking issue was discovered in Schneider Electric Interactive Graphical SCADA System (IGSS) Software, Version 12 and previous versions. The software will execute a malicious file if it is named the same as a legitimate file and placed in a location that is earlier in the search path. Se ha descubierto un problema de secuestro de DLL en el software Schneider Electric Interactive Graphical SCADA System (IGSS), versión 12 y versiones anteriores. El software ejecutará un archivo malicioso si se le asigna el mismo nombre que un archivo legítimo y se coloca en una ubicación anterior a la ruta de búsqueda. • http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-090-01 http://www.securityfocus.com/bid/97389 https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01 • CWE-427: Uncontrolled Search Path Element •