Page 3 of 13 results (0.028 seconds)

CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file. Una CWE-22: Se presenta una vulnerabilidad de Limitación Inapropiada de un Nombre de Ruta en un Directorio Restringido ("Path Traversal") en EcoStruxure Operator Terminal Expert versiones 3.1 Service Pack 1 y anteriores (anteriormente conocido como Vijeo XD) que podría causar una ejecución de código malicioso cuando se abre el archivo del proyecto The vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric EcoStructure Operator Terminal Expert. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists with the handling of VXDZ files. A crafted project file can allow the loading of an arbitrary DLL. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.se.com/ww/en/download/document/SEVD-2020-133-04 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability during zip file extraction exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause unauthorized write access outside of expected path folder when opening the project file. Una CWE-22: Se presenta una vulnerabilidad de Limitación Inapropiada de un Nombre de Ruta en un Directorio Restringido ("Path Traversal") durante la extracción de un archivo zip se presenta en EcoStruxure Operator Terminal Expert versiones 3.1 Service Pack 1 y anteriores (anteriormente conocido como Vijeo XD) que podría causar un acceso de escritura no autorizado fuera de la carpeta de ruta esperada cuando se abre el archivo del proyecto The vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric EcoStructure Operator Terminal Expert. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists with the handling of ZIP files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.se.com/ww/en/download/document/SEVD-2020-133-04 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0

A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file. Una CWE-89: Una vulnerabilidad de Neutralización Inapropiada de Elementos Especiales utilizados en un Comando SQL ("SQL Injection) en EcoStruxure Operator Terminal Expert versiones 3.1 Service Pack 1 y anteriores (anteriormente conocido como Vijeo XD) que podría causar una ejecución de código malicioso cuando se abre el archivo del proyecto The vulnerablity allows remote attackers to execute arbitrary code on affected installations of Schneider Electric EcoStruxure Operator Terminal Expert. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of VXDZ files. When parsing the parameters to load_extension the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.se.com/ww/en/download/document/SEVD-2020-133-04 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •