// For flags

CVE-2022-41671

 

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A CWE-89: Improper Neutralization of Special Elements used in SQL Command (‘SQL Injection’) vulnerability exists that allows adversaries with local user privileges to craft a malicious SQL query and execute as part of project migration which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).

Existe una vulnerabilidad CWE-89: Neutralización inadecuada de elementos especiales utilizados en el comando SQL ('Inyección SQL') que permite a adversarios con privilegios de usuario local crear una consulta SQL maliciosa y ejecutarla como parte de la migración del proyecto, lo que podría resultar en la ejecución de código malicioso. Productos afectados: EcoStruxure Operator Terminal Expert (V3.3 Hotfix 1 o anterior), Pro-face BLUE (V3.3 Hotfix 1 o anterior).

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-09-27 CVE Reserved
  • 2022-11-04 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Schneider-electric
Search vendor "Schneider-electric"
Ecostruxure Operator Terminal Expert
Search vendor "Schneider-electric" for product "Ecostruxure Operator Terminal Expert"
< 3.3
Search vendor "Schneider-electric" for product "Ecostruxure Operator Terminal Expert" and version " < 3.3"
-
Affected
Schneider-electric
Search vendor "Schneider-electric"
Ecostruxure Operator Terminal Expert
Search vendor "Schneider-electric" for product "Ecostruxure Operator Terminal Expert"
3.3
Search vendor "Schneider-electric" for product "Ecostruxure Operator Terminal Expert" and version "3.3"
-
Affected
Schneider-electric
Search vendor "Schneider-electric"
Ecostruxure Operator Terminal Expert
Search vendor "Schneider-electric" for product "Ecostruxure Operator Terminal Expert"
3.3
Search vendor "Schneider-electric" for product "Ecostruxure Operator Terminal Expert" and version "3.3"
hotfix1
Affected
Schneider-electric
Search vendor "Schneider-electric"
Pro-face Blue
Search vendor "Schneider-electric" for product "Pro-face Blue"
< 3.3
Search vendor "Schneider-electric" for product "Pro-face Blue" and version " < 3.3"
-
Affected
Schneider-electric
Search vendor "Schneider-electric"
Pro-face Blue
Search vendor "Schneider-electric" for product "Pro-face Blue"
3.3
Search vendor "Schneider-electric" for product "Pro-face Blue" and version "3.3"
-
Affected
Schneider-electric
Search vendor "Schneider-electric"
Pro-face Blue
Search vendor "Schneider-electric" for product "Pro-face Blue"
3.3
Search vendor "Schneider-electric" for product "Pro-face Blue" and version "3.3"
hotfix1
Affected