CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 1CVE-2018-10620
https://notcve.org/view.php?id=CVE-2018-10620
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. En AVEVA InduSoft Web Studio v8.1 y v8.1SP1 e InTouch Machine Edition v2017 8.1 y v2017 8.1 SP1, un usuario remoto podría enviar un paquete cuidadosamente manipulado para explotar una vulnerabilidad de desbordamiento de búfer basado en pila durante acciones relacionadas con etiquetas, alarmas o eventos, tales como la lectura y la escritura, con la posibilidad de que se ejecute código. • http://www.securityfocus.com/bid/104870 https://ics-cert.us-cert.gov/advisories/ICSA-18-200-01 https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec128%28002%29.pdf https://www.tenable.com/security/research/tra-2018-19 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5160
https://notcve.org/view.php?id=CVE-2017-5160
An Inadequate Encryption Strength issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The software will connect via Transport Layer Security without verifying the peer's SSL certificate properly. Se ha descubierto un problema Inadequate Encryption Strength en Schneider Electric Wonderware InTouch Access Anywhere, versión 11.5.2 y en versiones anteriores. El software se conectará a través de Transport Layer Security sin verificar correctamente el certificado SSL de los pares. • http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114 http://www.securityfocus.com/bid/97256 https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01 • CWE-326: Inadequate Encryption Strength •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5158
https://notcve.org/view.php?id=CVE-2017-5158
An Information Exposure issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. Credentials may be exposed to external systems via specific URL parameters, as arbitrary destination addresses may be specified. Se ha descubierto un problema de exposición de la información en Schneider Electric Wonderware InTouch Access Anywhere, versión 11.5.2 y en versiones anteriores. Las credenciales pueden estar expuestas a sistemas externos a través de parámetros específicos de URL, se pueden especificar direcciones de destino arbitrarias. • http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114 http://www.securityfocus.com/bid/97256 https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5156
https://notcve.org/view.php?id=CVE-2017-5156
A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external site to access internal RDP systems on behalf of the currently logged in user. Un problema CSRF fue descubierto en Schneider Electric Wonderware InTouch Access Anywhere, versión 11.5.2 y en versiones anteriores. La solicitud del cliente puede falsificarse desde un sitio diferente. • http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114 http://www.securityfocus.com/bid/97256 https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0CVE-2015-0999
https://notcve.org/view.php?id=CVE-2015-0999
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 store cleartext OPC User credentials in a configuration file, which allows local users to obtain sensitive information by reading this file. Schneider Electric InduSoft Web Studio anterior a 7.1.3.4 SP3 Patch 4 e InTouch Machine Edition 2014 anterior a 7.1.3.4 SP3 Patch 4 almacenan las credenciales de usuarios OPC en texto claro en un fichero de configuración, lo que permite a usuarios locales obtener información sensible mediante la lectura de este fichero. • http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-01 http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-054-02 https://ics-cert.us-cert.gov/advisories/ICSA-15-085-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •