CVE-2024-5558
https://notcve.org/view.php?id=CVE-2024-5558
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could cause escalation of privileges when an attacker abuses a limited admin account. CWE-367: Existe una vulnerabilidad de condición de ejecución de tiempo de verificación y tiempo de uso (TOCTOU) que podría provocar una escalada de privilegios cuando un atacante abusa de una cuenta de administrador limitada. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2024-5056
https://notcve.org/view.php?id=CVE-2024-5056
CWE-552: Files or Directories Accessible to External Parties vulnerability exists which may prevent user to update the device firmware and prevent proper behavior of the webserver when specific files or directories are removed from the filesystem. CWE-552: Existe una vulnerabilidad de archivos o directorios accesibles a terceros que puede impedir que el usuario actualice el firmware del dispositivo e impedir el comportamiento adecuado del servidor web cuando se eliminan archivos o directorios específicos del sistema de archivos. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-01.pdf • CWE-552: Files or Directories Accessible to External Parties •
CVE-2024-2229 – Schneider Electric EcoStruxure Power Design - Ecodial BinSerializer Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-2229
CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution when a malicious project file is loaded into the application by a valid user. CWE-502: Existe una vulnerabilidad de deserialización de datos no confiables que podría causar la ejecución remota de código cuando un usuario válido carga un archivo de proyecto malicioso en la aplicación. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric EcoStruxure Power Design - Ecodial. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the BinSerializer class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-072-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-072-02.pdf • CWE-502: Deserialization of Untrusted Data •
CVE-2024-0865 – Schneider Electric EcoStruxure IT Gateway Hard-Coded Credentials Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-0865
CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege escalation when logged in as a non-administrative user. CWE-798: Existe una vulnerabilidad en el uso de credenciales codificadas que podría provocar una escalada de privilegios locales al iniciar sesión como usuario no administrativo. This vulnerability allows local attackers to escalate privileges on affected installations of Schneider Electric EcoStruxure IT Gateway. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the installer. The issue results from the use of hard-coded credentials. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-03.pdf • CWE-798: Use of Hard-coded Credentials •
CVE-2024-0568
https://notcve.org/view.php?id=CVE-2024-0568
CWE-287: Improper Authentication vulnerability exists that could cause unauthorized tampering of device configuration over NFC communication. CWE-287: Existe una vulnerabilidad de autenticación incorrecta que podría provocar una manipulación no autorizada de la configuración del dispositivo a través de la comunicación NFC. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-02.pdf • CWE-287: Improper Authentication •