Vulnerabilites related to schneider-electric - ecostruxure_operator_terminal_expert
Vulnerability from fkie_nvd
Published
2020-06-16 20:15
Modified
2024-11-21 05:37
Severity ?
Summary
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability during zip file extraction exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause unauthorized write access outside of expected path folder when opening the project file.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E274928-428F-4CD4-9EF6-7C499B4FBCBA",
"versionEndIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C5B39FB1-D76F-47E9-AA10-E32282202F04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "DC9E5C58-B3D1-4871-A63D-0E48E747C610",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability during zip file extraction exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause unauthorized write access outside of expected path folder when opening the project file."
},
{
"lang": "es",
"value": "Una CWE-22: Se presenta una vulnerabilidad de Limitaci\u00f3n Inapropiada de un Nombre de Ruta en un Directorio Restringido (\"Path Traversal\") durante la extracci\u00f3n de un archivo zip se presenta en EcoStruxure Operator Terminal Expert versiones 3.1 Service Pack 1 y anteriores (anteriormente conocido como Vijeo XD) que podr\u00eda causar un acceso de escritura no autorizado fuera de la carpeta de ruta esperada cuando se abre el archivo del proyecto"
}
],
"id": "CVE-2020-7495",
"lastModified": "2024-11-21T05:37:15.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-16T20:15:14.457",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-16 20:15
Modified
2024-11-21 05:37
Severity ?
Summary
A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E274928-428F-4CD4-9EF6-7C499B4FBCBA",
"versionEndIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C5B39FB1-D76F-47E9-AA10-E32282202F04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "DC9E5C58-B3D1-4871-A63D-0E48E747C610",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file."
},
{
"lang": "es",
"value": "Una CWE-89: Una vulnerabilidad de Neutralizaci\u00f3n Inapropiada de Elementos Especiales utilizados en un Comando SQL (\"SQL Injection) en EcoStruxure Operator Terminal Expert versiones 3.1 Service Pack 1 y anteriores (anteriormente conocido como Vijeo XD) que podr\u00eda causar una ejecuci\u00f3n de c\u00f3digo malicioso cuando se abre el archivo del proyecto"
}
],
"id": "CVE-2020-7493",
"lastModified": "2024-11-21T05:37:15.253",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-16T20:15:14.270",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-04 05:15
Modified
2024-11-21 07:23
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5705916B-E189-4314-AD32-C8D42991DFA2",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:-:*:*:*:*:*:*",
"matchCriteriaId": "A6EAEC62-F689-43A2-8EDB-68867661ED92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:*:*:*:*:*:*:*:*",
"matchCriteriaId": "297C4149-AA1F-4033-BD74-0FB908783399",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:-:*:*:*:*:*:*",
"matchCriteriaId": "FB229476-7E0C-46ED-817D-C9A72250CC5D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad CWE-347: Verificaci\u00f3n Inadecuada de Firma Criptogr\u00e1fica que permite a adversarios con privilegios de usuario local cargar una DLL maliciosa que podr\u00eda conducir a la ejecuci\u00f3n de c\u00f3digo malicioso. Productos afectados: EcoStruxure Operator Terminal Expert (V3.3 Hotfix 1 o anterior), Pro-face BLUE (V3.3 Hotfix 1 o anterior)."
}
],
"id": "CVE-2022-41666",
"lastModified": "2024-11-21T07:23:36.033",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-04T05:15:09.040",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "cybersecurity@se.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-14 08:15
Modified
2024-11-21 07:38
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could cause execution of malicious code when an unsuspicious user loads a project file from the
local filesystem into the HMI.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5705916B-E189-4314-AD32-C8D42991DFA2",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:-:*:*:*:*:*:*",
"matchCriteriaId": "A6EAEC62-F689-43A2-8EDB-68867661ED92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "17F5EDCD-B9E6-40D7-88FC-C2685384C5B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:*:*:*:*:*:*:*:*",
"matchCriteriaId": "297C4149-AA1F-4033-BD74-0FB908783399",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:-:*:*:*:*:*:*",
"matchCriteriaId": "FB229476-7E0C-46ED-817D-C9A72250CC5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:sp1:*:*:*:*:*:*",
"matchCriteriaId": "78D3C9DF-3354-47E0-881F-4B59CE22BCF7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nA CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability exists that\ncould cause execution of malicious code when an unsuspicious user loads a project file from the\nlocal filesystem into the HMI.\n\n"
}
],
"id": "CVE-2023-1049",
"lastModified": "2024-11-21T07:38:21.647",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-14T08:15:08.773",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Vendor Advisory"
],
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-164-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-164-01.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-164-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-164-01.pdf"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-26 18:15
Modified
2024-11-21 05:22
Severity ?
Summary
A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cybersecurity@se.com | https://www.se.com/ww/en/download/document/SEVD-2021-012-01/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.se.com/ww/en/download/document/SEVD-2021-012-01/ | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "91DB915E-0D1C-40C9-A4D2-D078BE03F27C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:sp1a:*:*:*:*:*:*",
"matchCriteriaId": "BACE1852-347B-4311-9CCB-D8FFDCD0FECA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:schneider-electric:hmi_sto_501:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A65EC4B3-11C8-4D04-BC69-3DD258304B87",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmi_sto_511:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD340565-725B-4453-9B24-4C86644F9D34",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmi_sto_512:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C386B6A-3F2A-4F56-9651-FFD974EDB774",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmi_sto_531:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7FC9FA9-B98B-4C51-A349-9DF6FB36E1B6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmi_sto_532:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E26C0B22-12A9-44CF-BFE4-AEC4D066ACCA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmig3u:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EFF2C9FF-6BE3-4016-91A1-3EDDF4BB1DFE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmig3x:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F9B4D538-DC2F-4DAE-A036-A577E509D1CF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmig5u:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E72FE48D-3B73-48DA-BABE-F0871E118E7E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmig5u2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E881CC09-2083-4958-A08B-C6A1A6368368",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmist6200:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3BD84D5B-217A-4FF5-94E5-91541CA61EF5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmist6400:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16C13321-9184-4081-A11A-8C427BB4BE71",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmist6500:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B3290B53-034D-4DDB-AFA3-5D91A10725E1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmist6600:-:*:*:*:*:*:*:*",
"matchCriteriaId": "570DB15C-328D-42CD-B82C-ED8A817F74FC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:hmist6700:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC6B0D00-4CA9-4012-92A8-0D0634FBB4BD",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "954E2CC0-2CB2-47BE-89E2-E834435CB667",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.1:sp1a:*:*:*:*:*:*",
"matchCriteriaId": "80985893-C9FE-44C0-B388-76B8CEA14DB6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:schneider-electric:gp-4104g:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B273E19D-7E4C-4437-AB67-49CAF24FA352",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:gp-4104w:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F7F327BA-197B-4BFA-9FE6-E40A3E7FED93",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:gp-4105g:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8750204E-2333-4163-A88A-7AC0D79B0B3D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:gp-4105w:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D39C42-32BE-45DB-9590-0E382C76D0D8",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:gp-4106g:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F2EE3958-E7E2-4CA7-BBFB-3015EFAD957C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:gp-4106w:-:*:*:*:*:*:*:*",
"matchCriteriaId": "437A78A0-2D71-442F-A96F-BF34FC6E406C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:gp-4107g:-:*:*:*:*:*:*:*",
"matchCriteriaId": "91285194-9241-4B4C-9BC5-EDDEC769A191",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:gp-4107w:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0D7DD410-DC45-4E7C-AD92-B7F236376D21",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5400wa:-:*:*:*:*:*:*:*",
"matchCriteriaId": "43886AEE-C7EB-46CC-86FC-DA401BAED53A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5500tp:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0F839018-F28F-42C9-A725-EA564B29BCA7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5500wa:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C9B7D645-5E75-4322-A725-5E87175CFB38",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5600ta:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DF5F2C5B-F295-429E-9176-B17F3A368001",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5600tp:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0D9E6A3B-E4AD-404F-84BC-40A43E5B6190",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5600wa:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6791B663-7EA9-46F4-A1B2-E0FA6892C02E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5660tp:-:*:*:*:*:*:*:*",
"matchCriteriaId": "99B18FDD-893B-449E-AA2F-17DFEC641450",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5700tp:-:*:*:*:*:*:*:*",
"matchCriteriaId": "65029B55-0B79-41D0-A595-B52EF289608F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5700wc:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AEE93DF3-238B-41A0-98A6-95C9198597CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5800wc:-:*:*:*:*:*:*:*",
"matchCriteriaId": "08BD83A7-89E6-495A-9614-34036D973463",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5b00:-:*:*:*:*:*:*:*",
"matchCriteriaId": "674CC67D-7FFD-45C4-8F55-3B88D9573A8B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5b10:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F71C88DF-8F96-4CB1-8DB6-0AC4D518A316",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:sp-5b41:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C57403D3-FBC8-4223-A46E-8AEAE0FFC555",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:st-6200wa:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE1CEF1-B73A-43FC-9ED9-E3710C4C41B3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:st-6400wa:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5C96ACBC-B832-44AA-B36A-33EEA69CD963",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:st-6500wa:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A24789BC-38C9-483B-9A99-A460D1ED41E1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:st-6600wa:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7AF5CB30-8F1D-4ECE-9AE7-60D0FDAD3FE5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:schneider-electric:st-6700wa:-:*:*:*:*:*:*:*",
"matchCriteriaId": "37A233C5-3E7E-4911-AF51-7C8271E2747F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure\u2122 Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI."
},
{
"lang": "es",
"value": "CWE-20: Se presenta una vulnerabilidad de Comprobaci\u00f3n Inapropiada de la Entrada en EcoStruxure\u2122 Operator Terminal Expert y Pro-face BLUE (detalles de la versi\u00f3n en la notificaci\u00f3n) que podr\u00eda causar una ejecuci\u00f3n de c\u00f3digo arbitraria cuando la funcionalidad Ethernet Download est\u00e1 habilitada en la HMI"
}
],
"id": "CVE-2020-28221",
"lastModified": "2024-11-21T05:22:30.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-26T18:15:47.600",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2021-012-01/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2021-012-01/"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "cybersecurity@se.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-16 20:15
Modified
2024-11-21 05:37
Severity ?
Summary
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E274928-428F-4CD4-9EF6-7C499B4FBCBA",
"versionEndIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C5B39FB1-D76F-47E9-AA10-E32282202F04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "DC9E5C58-B3D1-4871-A63D-0E48E747C610",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file."
},
{
"lang": "es",
"value": "Una CWE-22: Se presenta una vulnerabilidad de Limitaci\u00f3n Inapropiada de un Nombre de Ruta en un Directorio Restringido (\"Path Traversal\") en EcoStruxure Operator Terminal Expert versiones 3.1 Service Pack 1 y anteriores (anteriormente conocido como Vijeo XD) que podr\u00eda causar una ejecuci\u00f3n de c\u00f3digo malicioso cuando se abre el archivo del proyecto"
}
],
"id": "CVE-2020-7494",
"lastModified": "2024-11-21T05:37:15.360",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-16T20:15:14.380",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-04 12:15
Modified
2024-11-21 07:23
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-704: Incorrect Project Conversion vulnerability exists that allows adversaries with local user privileges to load a project file from an adversary-controlled network share which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cybersecurity@se.com | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5705916B-E189-4314-AD32-C8D42991DFA2",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5585436E-9363-4730-9AF5-CE705093E664",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:hf1:*:*:*:*:*:*",
"matchCriteriaId": "1495D2CA-263C-4B9F-9C4F-A1DCA574743E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:*:*:*:*:*:*:*:*",
"matchCriteriaId": "297C4149-AA1F-4033-BD74-0FB908783399",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5B593005-BB3F-439A-AF38-F31AFEF6FCB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:hf1:*:*:*:*:*:*",
"matchCriteriaId": "D3D36B2C-AA16-4E42-90AF-DE40D6527D23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-704: Incorrect Project Conversion vulnerability exists that allows adversaries with local user privileges to load a project file from an adversary-controlled network share which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad CWE-704: Conversi\u00f3n de Proyecto Incorrecta que permite a adversarios con privilegios de usuario local cargar un archivo de proyecto desde un recurso compartido de red controlado por el adversario, lo que podr\u00eda resultar en la ejecuci\u00f3n de c\u00f3digo malicioso. Productos afectados: EcoStruxure Operator Terminal Expert (V3.3 Hotfix 1 o anterior), Pro-face BLUE (V3.3 Hotfix 1 o anterior)."
}
],
"id": "CVE-2022-41668",
"lastModified": "2024-11-21T07:23:36.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-04T12:15:20.540",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-704"
}
],
"source": "cybersecurity@se.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-04 14:15
Modified
2024-11-21 07:23
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cybersecurity@se.com | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5705916B-E189-4314-AD32-C8D42991DFA2",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:-:*:*:*:*:*:*",
"matchCriteriaId": "A6EAEC62-F689-43A2-8EDB-68867661ED92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:hotfix1:*:*:*:*:*:*",
"matchCriteriaId": "54A2C97D-9FE0-4E01-B9BE-D5508CFEEB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:*:*:*:*:*:*:*:*",
"matchCriteriaId": "297C4149-AA1F-4033-BD74-0FB908783399",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:-:*:*:*:*:*:*",
"matchCriteriaId": "FB229476-7E0C-46ED-817D-C9A72250CC5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:hotfix1:*:*:*:*:*:*",
"matchCriteriaId": "C893D88A-656A-4748-841C-5851D34E9C69",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad CWE-22: Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido (\"Path Traversal\") en el componente SGIUtility que permite a adversarios con privilegios de usuario local cargar archivos DLL maliciosos que podr\u00edan resultar en la ejecuci\u00f3n de c\u00f3digo malicioso. Productos afectados: EcoStruxure Operator Terminal Expert (V3.3 Hotfix 1 o anterior), Pro-face BLUE (V3.3 Hotfix 1 o anterior)."
}
],
"id": "CVE-2022-41670",
"lastModified": "2024-11-21T07:23:36.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-04T14:15:10.627",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "cybersecurity@se.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-04 15:15
Modified
2024-11-21 07:23
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-89: Improper Neutralization of Special Elements used in SQL Command (‘SQL Injection’) vulnerability exists that allows adversaries with local user privileges to craft a malicious SQL query and execute as part of project migration which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cybersecurity@se.com | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5705916B-E189-4314-AD32-C8D42991DFA2",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:-:*:*:*:*:*:*",
"matchCriteriaId": "A6EAEC62-F689-43A2-8EDB-68867661ED92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:hotfix1:*:*:*:*:*:*",
"matchCriteriaId": "54A2C97D-9FE0-4E01-B9BE-D5508CFEEB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:*:*:*:*:*:*:*:*",
"matchCriteriaId": "297C4149-AA1F-4033-BD74-0FB908783399",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:-:*:*:*:*:*:*",
"matchCriteriaId": "FB229476-7E0C-46ED-817D-C9A72250CC5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:hotfix1:*:*:*:*:*:*",
"matchCriteriaId": "C893D88A-656A-4748-841C-5851D34E9C69",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-89: Improper Neutralization of Special Elements used in SQL Command (\u2018SQL Injection\u2019) vulnerability exists that allows adversaries with local user privileges to craft a malicious SQL query and execute as part of project migration which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad CWE-89: Neutralizaci\u00f3n inadecuada de elementos especiales utilizados en el comando SQL (\u0027Inyecci\u00f3n SQL\u0027) que permite a adversarios con privilegios de usuario local crear una consulta SQL maliciosa y ejecutarla como parte de la migraci\u00f3n del proyecto, lo que podr\u00eda resultar en la ejecuci\u00f3n de c\u00f3digo malicioso. Productos afectados: EcoStruxure Operator Terminal Expert (V3.3 Hotfix 1 o anterior), Pro-face BLUE (V3.3 Hotfix 1 o anterior)."
}
],
"id": "CVE-2022-41671",
"lastModified": "2024-11-21T07:23:36.693",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-04T15:15:10.353",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cybersecurity@se.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-16 20:15
Modified
2024-11-21 05:37
Severity ?
Summary
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause arbitrary application execution when the computer starts.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E274928-428F-4CD4-9EF6-7C499B4FBCBA",
"versionEndIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:-:*:*:*:*:*:*",
"matchCriteriaId": "C5B39FB1-D76F-47E9-AA10-E32282202F04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "DC9E5C58-B3D1-4871-A63D-0E48E747C610",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause arbitrary application execution when the computer starts."
},
{
"lang": "es",
"value": "Una CWE-22: Se presenta una vulnerabilidad de Limitaci\u00f3n Inapropiada de un Nombre de Ruta en un Directorio Restringido (\"Path Traversal\") en EcoStruxure Operator Terminal Expert versiones 3.1 Service Pack 1 y anteriores (anteriormente conocido como Vijeo XD) que podr\u00eda causar una ejecuci\u00f3n arbitraria de la aplicaci\u00f3n cuando se inicia la computadora"
}
],
"id": "CVE-2020-7497",
"lastModified": "2024-11-21T05:37:15.670",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-16T20:15:14.613",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-04 13:15
Modified
2024-11-21 07:23
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load a malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cybersecurity@se.com | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5705916B-E189-4314-AD32-C8D42991DFA2",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:-:*:*:*:*:*:*",
"matchCriteriaId": "A6EAEC62-F689-43A2-8EDB-68867661ED92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:hotfix1:*:*:*:*:*:*",
"matchCriteriaId": "54A2C97D-9FE0-4E01-B9BE-D5508CFEEB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:*:*:*:*:*:*:*:*",
"matchCriteriaId": "297C4149-AA1F-4033-BD74-0FB908783399",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:-:*:*:*:*:*:*",
"matchCriteriaId": "FB229476-7E0C-46ED-817D-C9A72250CC5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:hotfix1:*:*:*:*:*:*",
"matchCriteriaId": "C893D88A-656A-4748-841C-5851D34E9C69",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load a malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad CWE-347: Verificaci\u00f3n Inadecuada de Firma Criptogr\u00e1fica en el componente SGIUtility que permite a adversarios con privilegios de usuario local cargar una DLL maliciosa que podr\u00eda resultar en la ejecuci\u00f3n de c\u00f3digo malicioso. Productos afectados: EcoStruxure Operator Terminal Expert (V3.3 Hotfix 1 o anterior), Pro-face BLUE (V3.3 Hotfix 1 o anterior)."
}
],
"id": "CVE-2022-41669",
"lastModified": "2024-11-21T07:23:36.437",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-04T13:15:11.250",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "cybersecurity@se.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-04 12:15
Modified
2024-11-21 07:23
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cybersecurity@se.com | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5705916B-E189-4314-AD32-C8D42991DFA2",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5585436E-9363-4730-9AF5-CE705093E664",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:hf1:*:*:*:*:*:*",
"matchCriteriaId": "1495D2CA-263C-4B9F-9C4F-A1DCA574743E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:*:*:*:*:*:*:*:*",
"matchCriteriaId": "297C4149-AA1F-4033-BD74-0FB908783399",
"versionEndExcluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5B593005-BB3F-439A-AF38-F31AFEF6FCB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:schneider-electric:pro-face_blue:3.3:hf1:*:*:*:*:*:*",
"matchCriteriaId": "D3D36B2C-AA16-4E42-90AF-DE40D6527D23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad CWE-22: Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido (\"Path Traversal\") que permite a adversarios con privilegios de usuario local cargar una DLL maliciosa que podr\u00eda conducir a la ejecuci\u00f3n de c\u00f3digo malicioso. Productos afectados: EcoStruxure Operator Terminal Expert (V3.3 Hotfix 1 o anterior), Pro-face BLUE (V3.3 Hotfix 1 o anterior)."
}
],
"id": "CVE-2022-41667",
"lastModified": "2024-11-21T07:23:36.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "cybersecurity@se.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-04T12:15:19.153",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "cybersecurity@se.com",
"type": "Primary"
}
]
}
CVE-2020-28221 (GCVE-0-2020-28221)
Vulnerability from cvelistv5
Published
2021-01-25 17:08
Modified
2024-08-04 16:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.se.com/ww/en/download/document/SEVD-2021-012-01/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | EcoStruxure™ Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series |
Version: EcoStruxure™ Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:33:58.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2021-012-01/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure\u2122 Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "EcoStruxure\u2122 Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure\u2122 Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-25T17:08:37",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2021-012-01/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2020-28221",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EcoStruxure\u2122 Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series",
"version": {
"version_data": [
{
"version_value": "EcoStruxure\u2122 Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure\u2122 Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.se.com/ww/en/download/document/SEVD-2021-012-01/",
"refsource": "MISC",
"url": "https://www.se.com/ww/en/download/document/SEVD-2021-012-01/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2020-28221",
"datePublished": "2021-01-25T17:08:37",
"dateReserved": "2020-11-05T00:00:00",
"dateUpdated": "2024-08-04T16:33:58.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7495 (GCVE-0-2020-7495)
Vulnerability from cvelistv5
Published
2020-06-16 19:11
Modified
2024-08-04 09:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability during zip file extraction exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause unauthorized write access outside of expected path folder when opening the project file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.se.com/ww/en/download/document/SEVD-2020-133-04 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) |
Version: EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:33:19.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability during zip file extraction exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause unauthorized write access outside of expected path folder when opening the project file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-16T19:11:55",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2020-7495",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)",
"version": {
"version_data": [
{
"version_value": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability during zip file extraction exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause unauthorized write access outside of expected path folder when opening the project file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04",
"refsource": "MISC",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2020-7495",
"datePublished": "2020-06-16T19:11:55",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-08-04T09:33:19.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7493 (GCVE-0-2020-7493)
Vulnerability from cvelistv5
Published
2020-06-16 19:10
Modified
2024-08-04 09:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.se.com/ww/en/download/document/SEVD-2020-133-04 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) |
Version: EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:33:19.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-16T19:10:35",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2020-7493",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)",
"version": {
"version_data": [
{
"version_value": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04",
"refsource": "MISC",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2020-7493",
"datePublished": "2020-06-16T19:10:35",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-08-04T09:33:19.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41668 (GCVE-0-2022-41668)
Vulnerability from cvelistv5
Published
2022-11-04 00:00
Modified
2025-05-02 18:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-704 - Incorrect Type Conversion or Cast
Summary
A CWE-704: Incorrect Project Conversion vulnerability exists that allows adversaries with local user privileges to load a project file from an adversary-controlled network share which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Schneider Electric | EcoStruxure Operator Terminal Expert |
Version: V3.3 < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41668",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-02T18:27:10.820390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T18:27:23.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
},
{
"product": "Pro-face BLUE",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-704: Incorrect Project Conversion vulnerability exists that allows adversaries with local user privileges to load a project file from an adversary-controlled network share which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-704",
"description": "CWE-704 Incorrect Type Conversion or Cast",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-04T00:00:00.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2022-41668",
"datePublished": "2022-11-04T00:00:00.000Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-05-02T18:27:23.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41666 (GCVE-0-2022-41666)
Vulnerability from cvelistv5
Published
2022-11-04 00:00
Modified
2025-05-02 18:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Summary
A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Schneider Electric | EcoStruxure Operator Terminal Expert |
Version: V3.3 < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-02T18:25:41.821506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T18:26:02.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
},
{
"product": "Pro-face BLUE",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-04T00:00:00.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2022-41666",
"datePublished": "2022-11-04T00:00:00.000Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-05-02T18:26:02.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7494 (GCVE-0-2020-7494)
Vulnerability from cvelistv5
Published
2020-06-16 19:11
Modified
2024-08-04 09:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.se.com/ww/en/download/document/SEVD-2020-133-04 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) |
Version: EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:33:19.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-16T19:11:04",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2020-7494",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)",
"version": {
"version_data": [
{
"version_value": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04",
"refsource": "MISC",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2020-7494",
"datePublished": "2020-06-16T19:11:04",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-08-04T09:33:19.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41669 (GCVE-0-2022-41669)
Vulnerability from cvelistv5
Published
2022-11-04 00:00
Modified
2025-05-02 18:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Summary
A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load a malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Schneider Electric | EcoStruxure Operator Terminal Expert |
Version: V3.3 < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41669",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-02T18:27:46.914216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T18:28:02.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
},
{
"product": "Pro-face BLUE",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load a malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-04T00:00:00.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2022-41669",
"datePublished": "2022-11-04T00:00:00.000Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-05-02T18:28:02.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7497 (GCVE-0-2020-7497)
Vulnerability from cvelistv5
Published
2020-06-16 19:13
Modified
2024-08-04 09:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause arbitrary application execution when the computer starts.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.se.com/ww/en/download/document/SEVD-2020-133-04 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) |
Version: EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:33:19.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause arbitrary application execution when the computer starts."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-16T19:13:57",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2020-7497",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)",
"version": {
"version_data": [
{
"version_value": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause arbitrary application execution when the computer starts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04",
"refsource": "MISC",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2020-7497",
"datePublished": "2020-06-16T19:13:57",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-08-04T09:33:19.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41667 (GCVE-0-2022-41667)
Vulnerability from cvelistv5
Published
2022-11-04 00:00
Modified
2025-05-02 18:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Schneider Electric | EcoStruxure Operator Terminal Expert |
Version: V3.3 < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.501Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-02T18:26:27.695185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T18:26:43.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
},
{
"product": "Pro-face BLUE",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-04T00:00:00.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2022-41667",
"datePublished": "2022-11-04T00:00:00.000Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-05-02T18:26:43.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41671 (GCVE-0-2022-41671)
Vulnerability from cvelistv5
Published
2022-11-04 00:00
Modified
2025-05-01 19:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - SQL Injection
Summary
A CWE-89: Improper Neutralization of Special Elements used in SQL Command (‘SQL Injection’) vulnerability exists that allows adversaries with local user privileges to craft a malicious SQL query and execute as part of project migration which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Schneider Electric | EcoStruxure Operator Terminal Expert |
Version: V3.3 < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T19:02:44.767060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T19:03:13.270Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
},
{
"product": "Pro-face BLUE",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-89: Improper Neutralization of Special Elements used in SQL Command (\u2018SQL Injection\u2019) vulnerability exists that allows adversaries with local user privileges to craft a malicious SQL query and execute as part of project migration which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-04T00:00:00.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2022-41671",
"datePublished": "2022-11-04T00:00:00.000Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-05-01T19:03:13.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41670 (GCVE-0-2022-41670)
Vulnerability from cvelistv5
Published
2022-11-04 00:00
Modified
2025-04-30 20:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Schneider Electric | EcoStruxure Operator Terminal Expert |
Version: V3.3 < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.436Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T20:10:21.838016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T20:10:42.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
},
{
"product": "Pro-face BLUE",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-04T00:00:00.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2022-41670",
"datePublished": "2022-11-04T00:00:00.000Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-04-30T20:10:42.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1049 (GCVE-0-2023-1049)
Vulnerability from cvelistv5
Published
2023-06-14 07:27
Modified
2025-01-02 20:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could cause execution of malicious code when an unsuspicious user loads a project file from the
local filesystem into the HMI.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Schneider Electric | EcoStruxure™ Operator Terminal Expert |
Version: 3.3 SP1 and prior |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:32:46.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-164-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-164-01.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T20:43:06.623896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T20:43:15.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Operator Terminal Expert",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "3.3 SP1 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Pro-face BLUE",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "3.3 SP1 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nA CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability exists that\ncould cause execution of malicious code when an unsuspicious user loads a project file from the\nlocal filesystem into the HMI.\n\n"
}
],
"value": "\nA CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability exists that\ncould cause execution of malicious code when an unsuspicious user loads a project file from the\nlocal filesystem into the HMI.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-14T07:27:59.794Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-164-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-164-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2023-1049",
"datePublished": "2023-06-14T07:27:59.794Z",
"dateReserved": "2023-02-27T08:10:00.738Z",
"dateUpdated": "2025-01-02T20:43:15.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}