CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 0CVE-2023-5986
https://notcve.org/view.php?id=CVE-2023-5986
A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the software’s web application to redirect to the chosen domain after a successful login is performed. Existe una vulnerabilidad CWE-601: Redireccionamiento de URL a un Sitio que No es de Confianza que podría causar una vulnerabilidad de openredirect que conduzca a un ataque de cross site scripting. Al proporcionar una entrada codificada en URL, los atacantes pueden hacer que la aplicación web del software se redirija al dominio elegido después de iniciar sesión correctamente. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-02.pdf • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5985
https://notcve.org/view.php?id=CVE-2023-5985
A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability exists that could cause compromise of a user’s browser when an attacker with admin privileges has modified system values. Existe una vulnerabilidad CWE-79: Neutralización Inadecuada de la Entrada Durante la Generación de Páginas Web que podría comprometer el navegador de un usuario cuando un atacante con privilegios de administrador ha modificado los valores del sistema. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-01.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5984
https://notcve.org/view.php?id=CVE-2023-5984
A CWE-494 Download of Code Without Integrity Check vulnerability exists that could allow modified firmware to be uploaded when an authorized admin user begins a firmware update procedure which could result in full control over the device. Existe una vulnerabilidad CWE-494: Descarga de Código Sin Verificación de Integridad que podría permitir que se cargue firmware modificado cuando un usuario administrador autorizado comienza un procedimiento de actualización de firmware. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-01.pdf • CWE-494: Download of Code Without Integrity Check •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5391 – Schneider Electric EcoStruxure Power Monitoring Expert GetFilteredSinkProvider Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-5391
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application. CWE-502: Existe una vulnerabilidad deserialización de datos no confiables que podría permitir a un atacante ejecutar código arbitrario en el sistema objetivo enviando un paquete específicamente manipulado a la aplicación. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric EcoStruxure Power Monitoring Expert. Authentication is not required to exploit this vulnerability. The specific flaw exists within the GetFilteredSinkProvider method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5399 – Schneider Electric C-Bus Toolkit FileCommand Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-5399
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using the File Command. CWE-22: Existe una vulnerabilidad de limitación inadecuada de un nombre de ruta a un directorio restringido ("Path Traversal") que podría provocar la manipulación de archivos en la computadora personal que ejecuta C-Bus cuando se usa el comando File. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric C-Bus Toolkit. Authentication is not required to exploit this vulnerability. The specific flaw exists within the FileCommand command. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-01.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •