CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32528
https://notcve.org/view.php?id=CVE-2022-32528
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause access to manipulate and read specific files in the IGSS project report directory, potentially leading to a denial-of-service condition when an attacker sends specific messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170) • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-165-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-01_IGSS_Security_Notification.pdf • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-32517
https://notcve.org/view.php?id=CVE-2022-32517
A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause an adversary to trick the interface user/admin into interacting with the application in an unintended way when the product does not implement restrictions on the ability to render within frames on external addresses. Affected Products: Conext™ ComBox (All Versions) Existe una vulnerabilidad CWE-1021: Restricción inadecuada de las capas o marcos de la interfaz de usuario renderizados que podría causar que un adversario engañe la interfaz user/admin para que interactúe con la aplicación de una manera no deseada cuando el producto no implementa restricciones en la capacidad de renderizar dentro de los marcos. en direcciones externas. Productos afectados: Conext? ComBox (todas las versiones) • https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-03_ConextCombox_Security_Notification.pdf • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-32515
https://notcve.org/view.php?id=CVE-2022-32515
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause brute force attacks to take over the admin account when the product does not implement a rate limit mechanism on the admin authentication form. Affected Products: Conext™ ComBox (All Versions) Existe una vulnerabilidad CWE-307: Restricción inadecuada de intentos de autenticación excesivos que podría provocar que ataques de fuerza bruta se apoderen de la cuenta de administrador cuando el producto no implementa un mecanismo de límite de velocidad en el formulario de autenticación de administrador. Productos afectados: Conext? ComBox (todas las versiones) • https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-03_ConextCombox_Security_Notification.pdf • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32748
https://notcve.org/view.php?id=CVE-2022-32748
A CWE-295: Improper Certificate Validation vulnerability exists that could cause the CAE software to give wrong data to end users when using CAE to configure devices. Additionally, credentials could leak which would enable an attacker the ability to log into the configuration tool and compromise other devices in the network. Affected Products: EcoStruxure™ Cybersecurity Admin Expert (CAE) (Versions prior to 2.2) • https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-08_Cybersecurity_Admin_Expert_Security_Notification.pdf • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32529
https://notcve.org/view.php?id=CVE-2022-32529
A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted log data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170) Existe una vulnerabilidad CWE-120: copia del búfer sin comprobar el tamaño de la entrada que podría provocar un desbordamiento de búfer en la región stack de la memoria, lo que podría provocar la ejecución remota de código cuando un atacante envía mensajes de solicitud de datos de registro especialmente manipulados. Productos afectados: IGSS Data Server - IGSSdataServer.exe (Versiones anteriores a V15.0.0.22170) • https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-01_IGSS_Security_Notification_V2.pdf • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •