CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-24318
https://notcve.org/view.php?id=CVE-2022-24318
A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions) Una CWE-326: Se presenta una vulnerabilidad de Fuerza de Encriptación que podría causar una comunicación no encriptada con el servidor cuando son usadas versiones obsoletas del cliente ViewX. Producto afectado: ClearSCADA (todas las versiones), EcoStruxure Geo SCADA Expert 2019 (todas las versiones), EcoStruxure Geo SCADA Expert 2020 (todas las versiones) • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05 • CWE-326: Inadequate Encryption Strength •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-22811
https://notcve.org/view.php?id=CVE-2022-22811
A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that could induce users to perform unintended actions, leading to the override of the system�s configurations when an attacker persuades a user to visit a rogue website. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior) Una CWE-352: Se presenta una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) que podría inducir a usuarios a llevar a cabo acciones no deseadas, conllevando a una anulación de las configuraciones del sistema cuando un atacante convence a un usuario para que visite un sitio web fraudulento. Producto afectado: spaceLYnk (versiones V2.6.2 y anteriores), Wiser for KNX (anteriormente homeLYnk) (versiones V2.6.2 y anteriores), fellerLYnk (V2.6.2 y anteriores) • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-22810
https://notcve.org/view.php?id=CVE-2022-22810
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior) Una CWE-307: Se presenta una vulnerabilidad de Restricción Inapropiada de los Intentos de Autenticación Excesivos que podría permitir a un atacante manipular al administrador tras numerosos intentos de adivinar las credenciales. Producto afectado: spaceLYnk (versiones V2.6.2 y anteriores), Wiser for KNX (anteriormente homeLYnk) (versiones V2.6.2 y anteriores), fellerLYnk (versiones V2.6.2 y anteriores) • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.8EPSS: 0%CPEs: 66EXPL: 0CVE-2022-22813
https://notcve.org/view.php?id=CVE-2022-22813
A CWE-798: Use of Hard-coded Credentials vulnerability exists. If an attacker were to obtain the TLS cryptographic key and take active control of the Courier tunneling communication network, they could potentially observe and manipulate traffic associated with product configuration. Una CWE-798: Se presenta una vulnerabilidad de Uso de Credenciales Embebidas. Si un atacante obtuviera la clave criptográfica TLS y tomara el control activo de la red de comunicación de túneles de Courier, podría potencialmente observar y manipular el tráfico asociado a la configuración del producto • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-03 • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24317 – Schneider Electric IGSS Missing Authentication Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-24317
A CWE-862: Missing Authorization vulnerability exists that could cause information exposure when an attacker sends a specific message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) Una CWE-862: Se presenta una vulnerabilidad de Falta de Autorización que podría causar una exposición de información cuando un atacante envía un mensaje específico. Producto afectado: Interactive Graphical SCADA System Data Server (versiones V15.0.0.22020 y anteriores) This vulnerability allows remote attackers to disclose sensitive information on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the IGSSDataServer process, which listens on TCP port 12401 by default. The issue results from the lack of authentication prior to allowing access to functionality. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-01 https://www.zerodayinitiative.com/advisories/ZDI-22-324 • CWE-862: Missing Authorization •