CVE-2024-0568
https://notcve.org/view.php?id=CVE-2024-0568
CWE-287: Improper Authentication vulnerability exists that could cause unauthorized tampering of device configuration over NFC communication. CWE-287: Existe una vulnerabilidad de autenticación incorrecta que podría provocar una manipulación no autorizada de la configuración del dispositivo a través de la comunicación NFC. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-02.pdf • CWE-287: Improper Authentication •
CVE-2023-6408
https://notcve.org/view.php?id=CVE-2023-6408
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause a denial of service and loss of confidentiality, integrity of controllers when conducting a Man in the Middle attack. CWE-924: Existe una vulnerabilidad en la aplicación inadecuada de la integridad de los mensajes durante la transmisión en un canal de comunicación que podría causar una denegación de servicio y pérdida de confidencialidad e integridad de los controladores al realizar un ataque Man in the Middle. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-01.pdf • CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel •
CVE-2023-7032 – Schneider Electric Easergy Studio InitializeChannel Deserialization of Untrusted Data Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-7032
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker logged in with a user level account to gain higher privileges by providing a harmful serialized object. Existe una vulnerabilidad CWE-502: deserialización de datos no confiables que podría permitir que un atacante que haya iniciado sesión con una cuenta de nivel de usuario obtenga mayores privilegios al proporcionar un objeto serializado dañino. This vulnerability allows local attackers to escalate privileges on affected installations of Schneider Electric Easergy Studio. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the InitializeChannel method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-009-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-009-02.pdf • CWE-502: Deserialization of Untrusted Data •
CVE-2023-6407 – Schneider Electric APC Easy UPS Online deletePdfReportFile Directory Traversal Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-6407
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker. Existe una vulnerabilidad CWE-22: limitación inadecuada de un nombre de ruta a un directorio restringido ("Path Traversal") que podría causar la eliminación arbitraria de archivos al reiniciar el servicio cuando un atacante local y con pocos privilegios accede a él. This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Schneider Electric APC Easy UPS Online. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the deletePdfReportFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-346-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-346-03.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-5630
https://notcve.org/view.php?id=CVE-2023-5630
A CWE-494: Download of Code Without Integrity Check vulnerability exists that could allow a privileged user to install an untrusted firmware. Existe una vulnerabilidad CWE-494: Descarga de código sin verificación de integridad que podría permitir a un usuario privilegiado instalar un firmware que no es de confianza. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-346-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-346-01.pdf • CWE-494: Download of Code Without Integrity Check •