CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0CVE-2022-22808
https://notcve.org/view.php?id=CVE-2022-22808
09 Feb 2022 — A CWE-352: Cross-Site Request Forgery (CSRF) exists that could cause a remote attacker to gain unauthorized access to the product when conducting cross-domain attacks based on same-origin policy or cross-site request forgery protections bypass. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-02 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-22809
https://notcve.org/view.php?id=CVE-2022-22809
09 Feb 2022 — A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior) Una CWE-306: Se presenta una vulnerabilidad de Falta de Autenticación para la Función Crítica que podría permitir una modificación de las configuraciones tá... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22804
https://notcve.org/view.php?id=CVE-2022-22804
04 Feb 2022 — A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior) Una CWE-79: Se presenta una vulnerabilidad de Neutralización Inapropiada de la Entrada Durante la Generación de la Página Web ("Cross-site Scr... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22726
https://notcve.org/view.php?id=CVE-2022-22726
04 Feb 2022 — A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior) Una CWE-20: Se presenta una vulnerabilidad de Comprobación de Entrada Inapropiada que podría permitir una lectura de archivos arbitrarios en el servidor por parte de usuarios autenticados mediante una cuenta de servicio del sistema operativo ... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22727
https://notcve.org/view.php?id=CVE-2022-22727
04 Feb 2022 — A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacker to view data, change settings, impact availability of the software, or potentially impact a user�s local machine when the user clicks a specially crafted link. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior) Una CWE-20: Se presenta una vulnerabilidad de Comprobación de Entrada Inapropiada que podría permitir a un atacante no autenticado visualizar datos, cambiar la configurac... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22725
https://notcve.org/view.php?id=CVE-2022-22725
04 Feb 2022 — A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network. Protection functions and tripping function via GOOSE can be impacted. Affected Product: Easergy P3 (All versions prior to V30.205) Una CWE-120: Se presenta una vulnerabilidad de Copia del Búfer sin Comprobar el Tamaño de la Entrada que podría conllevar a un desbordamiento de... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-04 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 20EXPL: 0CVE-2020-7534
https://notcve.org/view.php?id=CVE-2020-7534
04 Feb 2022 — A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists on the web server used, that could cause a leak of sensitive data or unauthorized actions on the web server during the time the user is logged in. Affected Products: Modicon M340 CPUs: BMXP34 (All Versions), Modicon Quantum CPUs with integrated Ethernet (Copro): 140CPU65 (All Versions), Modicon Premium CPUs with integrated Ethernet (Copro): TSXP57 (All Versions), Modicon M340 ethernet modules: (BMXNOC0401, BMXNOE01, BMXNOR0200H) (All Versions... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0CVE-2022-22724
https://notcve.org/view.php?id=CVE-2022-22724
04 Feb 2022 — A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. Affected Product: Modicon M340 CPUs: BMXP34 (All Versions) Una CWE-400: Se presenta una vulnerabilidad de Consumo no Controlado de Recursos que podría causar una denegación de servicio en los puertos 80 (HTTP) y 502 (Modbus), cuando es enviado un gran número de paquetes TCP RST o FIN ... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22723
https://notcve.org/view.php?id=CVE-2022-22723
04 Feb 2022 — A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network. Protection functions and tripping function via GOOSE can be impacted. Affected Product: Easergy P5 (All firmware versions prior to V01.401.101) Una CWE-120: Se presenta una vulnerabilidad de Copia del Búfer sin Comprobar el Tamaño de la Entrada que podría conllevar a un desb... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22722
https://notcve.org/view.php?id=CVE-2022-22722
04 Feb 2022 — A CWE-798: Use of Hard-coded Credentials vulnerability exists that could result in information disclosure. If an attacker were to obtain the SSH cryptographic key for the device and take active control of the local operational network connected to the product they could potentially observe and manipulate traffic associated with product configuration. Affected Product: Easergy P5 (All firmware versions prior to V01.401.101) Una CWE-798: Se presenta un uso de credenciales embebidas que podría resultar en una ... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03 • CWE-798: Use of Hard-coded Credentials •