CVE-2023-6407 – Schneider Electric APC Easy UPS Online deletePdfReportFile Directory Traversal Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-6407
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker. Existe una vulnerabilidad CWE-22: limitación inadecuada de un nombre de ruta a un directorio restringido ("Path Traversal") que podría causar la eliminación arbitraria de archivos al reiniciar el servicio cuando un atacante local y con pocos privilegios accede a él. This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Schneider Electric APC Easy UPS Online. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the deletePdfReportFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-346-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-346-03.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-5630
https://notcve.org/view.php?id=CVE-2023-5630
A CWE-494: Download of Code Without Integrity Check vulnerability exists that could allow a privileged user to install an untrusted firmware. Existe una vulnerabilidad CWE-494: Descarga de código sin verificación de integridad que podría permitir a un usuario privilegiado instalar un firmware que no es de confianza. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-346-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-346-01.pdf • CWE-494: Download of Code Without Integrity Check •
CVE-2023-5629
https://notcve.org/view.php?id=CVE-2023-5629
A CWE-601:URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability exists that could cause disclosure of information through phishing attempts over HTTP. Existe una vulnerabilidad CWE-601: Redirección de URL a un sitio que no es de confianza ("Open Redirect") que podría provocar la divulgación de información mediante intentos de phishing a través de HTTP. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-346-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-346-01.pdf • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2023-6032
https://notcve.org/view.php?id=CVE-2023-6032
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause a file system enumeration and file download when an attacker navigates to the Network Management Card via HTTPS. Existe una vulnerabilidad CWE-22: Limitación Inadecuada de un Nombre de Ruta a un Directorio Restringido ("Path Traversal") que podría causar una enumeración del sistema de archivos y una descarga de archivos cuando un atacante navega a la Tarjeta de Administración de Red a través de HTTPS. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-03.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-5987
https://notcve.org/view.php?id=CVE-2023-5987
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload. Una vulnerabilidad CWE-79: Neutralización Inadecuada de la Entrada Durante la Generación de Páginas Web (Cross-site Scripting) que podría causar una vulnerabilidad que conduzca a una condición de Cross-Site Scripting donde los atacantes pueden hacer que el navegador de la víctima ejecute JavaScript arbitrario cuando visitan una página que contiene un payload inyectado. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-02.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •