CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 3CVE-2018-7841 – Schneider Electric U.motion Builder SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2018-7841
A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered. Existe una vulnerabilidad de Inyección de SQL (CWE-89) en U.motion Builder versión de software 1.3.4, que podría generar la ejecución de código no deseado cuando un ajuste inapropiado de caracteres es introducido. Schneider Electric U.Motion Builder version 1.3.4 suffers from an unauthenticated command injection vulnerability in track_import_export.php. A SQL Injection vulnerability exists in U.motion Builder software which could cause unwanted code execution when an improper set of characters is entered. • https://www.exploit-db.com/exploits/46846 http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html http://seclists.org/fulldisclosure/2019/May/26 https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7768
https://notcve.org/view.php?id=CVE-2018-7768
The vulnerability exists within processing of loadtemplate.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the tpl input parameter. Existe una vulnerabilidad en el procesamiento de loadtemplate.php en el software de Schneider Electric U.motion Builder en versiones anteriores a la v1.3.4. La consulta de la base de datos SQLite subyacente está sujeta a una inyección SQL en el parámetro de entrada tpl. • https://www.schneider-electric.com/en/download/document/SEVD-2018-095-01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7763
https://notcve.org/view.php?id=CVE-2018-7763
The vulnerability exists within css.inc.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The 'css' parameter contains a directory traversal vulnerability. Existe una vulnerabilidad en css.inc.php en el software de Schneider Electric U.motion Builder en versiones anteriores a la v1.3.4. El parámetro "css" contiene una vulnerabilidad de salto de directorio. • https://www.schneider-electric.com/en/download/document/SEVD-2018-095-01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7767
https://notcve.org/view.php?id=CVE-2018-7767
The vulnerability exists within processing of editobject.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the type input parameter. Existe una vulnerabilidad en el procesamiento de editobject.php en el software de Schneider Electric U.motion Builder en versiones anteriores a la v1.3.4. La consulta de la base de datos SQLite subyacente está sujeta a una inyección SQL en el parámetro de entrada type. • https://www.schneider-electric.com/en/download/document/SEVD-2018-095-01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7765
https://notcve.org/view.php?id=CVE-2018-7765
The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter. Existe una vulnerabilidad en el procesamiento de track_import_export.php en el software de Schneider Electric U.motion Builder en versiones anteriores a la v1.3.4. La consulta de la base de datos SQLite subyacente está sujeta a una inyección SQL en el parámetro de entrada object_id. • http://seclists.org/fulldisclosure/2019/May/26 https://www.schneider-electric.com/en/download/document/SEVD-2018-095-01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •