cvelistv5 - cve-2018-7841

CVE-2018-7841 (GCVE-0-2018-7841)

Vulnerability from cvelistv5

Published

2019-05-22 19:20

Modified

2025-10-21 23:45

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

SQL Injection

Summary

A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.

References

URL

	Vendor	Product	Version
	U.motion	U.motion Builder software version 1.3.4	Version: U.motion Builder software version 1.3.4

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

Date added: 2022-04-15

Due date: 2022-05-06

Required action: The impacted product is end-of-life and should be disconnected if still in use.

Used in ransomware: Unknown

Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-7841

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:37:59.637Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html"
          },
          {
            "name": "20190514 [CVE-2018-7841] Schneider Electric U.Motion Builder \u003c= 1.3.4 track_import_export.php object_id Unauthenticated Command Injection",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/May/26"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2018-7841",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-07T13:14:24.620740Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-04-15",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7841"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-89",
                "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:45:36.396Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7841"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-04-15T00:00:00+00:00",
            "value": "CVE-2018-7841 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "U.motion Builder software version 1.3.4",
          "vendor": "U.motion",
          "versions": [
            {
              "status": "affected",
              "version": "U.motion Builder software version 1.3.4"
            }
          ]
        }
      ],
      "datePublic": "2019-03-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "SQL Injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-22T19:22:21.000Z",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html"
        },
        {
          "name": "20190514 [CVE-2018-7841] Schneider Electric U.Motion Builder \u003c= 1.3.4 track_import_export.php object_id Unauthenticated Command Injection",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/May/26"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "ID": "CVE-2018-7841",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "U.motion Builder software version 1.3.4",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "U.motion Builder software version 1.3.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "U.motion"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "SQL Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html"
            },
            {
              "name": "20190514 [CVE-2018-7841] Schneider Electric U.Motion Builder \u003c= 1.3.4 track_import_export.php object_id Unauthenticated Command Injection",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2019/May/26"
            },
            {
              "name": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02",
              "refsource": "CONFIRM",
              "url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2018-7841",
    "datePublished": "2019-05-22T19:20:54.000Z",
    "dateReserved": "2018-03-08T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:45:36.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2018-7841",
      "cwes": "[\"CWE-89\"]",
      "dateAdded": "2022-04-15",
      "dueDate": "2022-05-06",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2018-7841",
      "product": "U.motion Builder",
      "requiredAction": "The impacted product is end-of-life and should be disconnected if still in use.",
      "shortDescription": "A SQL Injection vulnerability exists in U.motion Builder software which could cause unwanted code execution when an improper set of characters is entered.",
      "vendorProject": "Schneider Electric",
      "vulnerabilityName": "Schneider Electric U.motion Builder SQL Injection Vulnerability"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-7841\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2019-05-22T20:29:01.480\",\"lastModified\":\"2025-11-03T18:59:49.653\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de Inyecci\u00f3n de SQL (CWE-89) en U.motion Builder versi\u00f3n de software 1.3.4, que podr\u00eda generar la ejecuci\u00f3n de c\u00f3digo no deseado cuando un ajuste inapropiado de caracteres es introducido.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-04-15\",\"cisaActionDue\":\"2022-05-06\",\"cisaRequiredAction\":\"The impacted product is end-of-life and should be disconnected if still in use.\",\"cisaVulnerabilityName\":\"Schneider Electric U.motion Builder SQL Injection Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:u.motion_builder:1.3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8A4D5E5-EA6D-4E2A-BB01-80EDADB3804E\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/May/26\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/May/26\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7841\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/May/26\", \"name\": \"20190514 [CVE-2018-7841] Schneider Electric U.Motion Builder \u003c= 1.3.4 track_import_export.php object_id Unauthenticated Command Injection\", \"tags\": [\"mailing-list\", \"x_refsource_FULLDISC\", \"x_transferred\"]}, {\"url\": \"https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-05T06:37:59.637Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2018-7841\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-07T13:14:24.620740Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-04-15\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7841\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-04-15T00:00:00+00:00\", \"value\": \"CVE-2018-7841 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7841\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-07T13:14:10.660Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"U.motion\", \"product\": \"U.motion Builder software version 1.3.4\", \"versions\": [{\"status\": \"affected\", \"version\": \"U.motion Builder software version 1.3.4\"}]}], \"datePublic\": \"2019-03-12T00:00:00.000Z\", \"references\": [{\"url\": \"http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/May/26\", \"name\": \"20190514 [CVE-2018-7841] Schneider Electric U.Motion Builder \u003c= 1.3.4 track_import_export.php object_id Unauthenticated Command Injection\", \"tags\": [\"mailing-list\", \"x_refsource_FULLDISC\"]}, {\"url\": \"https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"SQL Injection\"}]}], \"providerMetadata\": {\"orgId\": \"076d1eb6-cfab-4401-b34d-6dfc2a413bdb\", \"shortName\": \"schneider\", \"dateUpdated\": \"2019-05-22T19:22:21.000Z\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"U.motion Builder software version 1.3.4\"}]}, \"product_name\": \"U.motion Builder software version 1.3.4\"}]}, \"vendor_name\": \"U.motion\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html\", \"name\": \"http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html\", \"refsource\": \"MISC\"}, {\"url\": \"http://seclists.org/fulldisclosure/2019/May/26\", \"name\": \"20190514 [CVE-2018-7841] Schneider Electric U.Motion Builder \u003c= 1.3.4 track_import_export.php object_id Unauthenticated Command Injection\", \"refsource\": \"FULLDISC\"}, {\"url\": \"https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02\", \"name\": \"https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02\", \"refsource\": \"CONFIRM\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"SQL Injection\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2018-7841\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"cybersecurity@schneider-electric.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2018-7841\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:45:36.396Z\", \"dateReserved\": \"2018-03-08T00:00:00.000Z\", \"assignerOrgId\": \"076d1eb6-cfab-4401-b34d-6dfc2a413bdb\", \"datePublished\": \"2019-05-22T19:20:54.000Z\", \"assignerShortName\": \"schneider\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2018-7841

Vulnerability from fkie_nvd

Published

2019-05-22 20:29

Modified

2025-11-03 18:59

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.

References

URL	Tags
cybersecurity@se.com	http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html	Exploit, Third Party Advisory, VDB Entry
cybersecurity@se.com	http://seclists.org/fulldisclosure/2019/May/26	Exploit, Mailing List, Third Party Advisory
cybersecurity@se.com	https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2019/May/26	Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02	Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7841	US Government Resource

Impacted products

	Vendor	Product	Version
	schneider-electric	u.motion_builder	1.3.4

JSON

To clipboard

{
  "cisaActionDue": "2022-05-06",
  "cisaExploitAdd": "2022-04-15",
  "cisaRequiredAction": "The impacted product is end-of-life and should be disconnected if still in use.",
  "cisaVulnerabilityName": "Schneider Electric U.motion Builder SQL Injection Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:schneider-electric:u.motion_builder:1.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8A4D5E5-EA6D-4E2A-BB01-80EDADB3804E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de Inyecci\u00f3n de SQL (CWE-89) en U.motion Builder versi\u00f3n de software 1.3.4, que podr\u00eda generar la ejecuci\u00f3n de c\u00f3digo no deseado cuando un ajuste inapropiado de caracteres es introducido."
    }
  ],
  "id": "CVE-2018-7841",
  "lastModified": "2025-11-03T18:59:49.653",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2019-05-22T20:29:01.480",
  "references": [
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html"
    },
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/May/26"
    },
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/May/26"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7841"
    }
  ],
  "sourceIdentifier": "cybersecurity@se.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered. U.motionBuilder is a generator product from Schneider Electric of France. A security vulnerability exists in SchneiderElectricU.MotionBuildertrack_import_export.phpobject_id. The vulnerability is due to an application failing to properly validate and filter this parameter, and an attacker could exploit the vulnerability to insert arbitrary commands

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201905-1044",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "u.motion builder",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "schneider electric",
        "version": "1.3.4"
      },
      {
        "model": "u.motion builder software",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": "1.3.4"
      },
      {
        "model": "electric u.motion builder",
        "scope": "lte",
        "trust": 0.6,
        "vendor": "schneider",
        "version": "\u003c=1.3.4"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "u motion builder",
        "version": "1.3.4"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "ab58dace-bec4-420e-bb16-b855ccecebc0"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7841"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:schneider_electric:u.motion_builder",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Julien Ahrens",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-612"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2018-7841",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2018-7841",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 1.9,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2019-14275",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "ab58dace-bec4-420e-bb16-b855ccecebc0",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.9 [IVD]"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2018-7841",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2018-7841",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "CVE-2018-7841",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-14275",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201905-612",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "IVD",
            "id": "ab58dace-bec4-420e-bb16-b855ccecebc0",
            "trust": 0.2,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2018-7841",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "ab58dace-bec4-420e-bb16-b855ccecebc0"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-7841"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-612"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7841"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered. U.motionBuilder is a generator product from Schneider Electric of France. A security vulnerability exists in SchneiderElectricU.MotionBuildertrack_import_export.phpobject_id. The vulnerability is due to an application failing to properly validate and filter this parameter, and an attacker could exploit the vulnerability to insert arbitrary commands",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-7841"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      },
      {
        "db": "IVD",
        "id": "ab58dace-bec4-420e-bb16-b855ccecebc0"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-7841"
      }
    ],
    "trust": 2.43
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=46846",
        "trust": 0.1,
        "type": "exploit"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2018-7841"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-7841",
        "trust": 3.3
      },
      {
        "db": "PACKETSTORM",
        "id": "152862",
        "trust": 1.7
      },
      {
        "db": "SCHNEIDER",
        "id": "SEVD-2019-071-02",
        "trust": 1.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-14275",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-612",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015483",
        "trust": 0.8
      },
      {
        "db": "EXPLOIT-DB",
        "id": "46846",
        "trust": 0.7
      },
      {
        "db": "IVD",
        "id": "AB58DACE-BEC4-420E-BB16-B855CCECEBC0",
        "trust": 0.2
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-7841",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "ab58dace-bec4-420e-bb16-b855ccecebc0"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-7841"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-612"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7841"
      }
    ]
  },
  "id": "VAR-201905-1044",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "ab58dace-bec4-420e-bb16-b855ccecebc0"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      }
    ],
    "trust": 1.8
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS",
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      },
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "ab58dace-bec4-420e-bb16-b855ccecebc0"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      }
    ]
  },
  "last_update_date": "2024-11-23T22:43:56.780000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SEVD-2019-071-02",
        "trust": 0.8,
        "url": "https://www.schneider-electric.com/en/download/document/SEVD-2019-071-02/"
      },
      {
        "title": "advisories",
        "trust": 0.1,
        "url": "https://github.com/MrTuxracer/advisories "
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2018-7841"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-89",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7841"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.3,
        "url": "http://seclists.org/fulldisclosure/2019/may/26"
      },
      {
        "trust": 2.3,
        "url": "http://packetstormsecurity.com/files/152862/schneider-electric-u.motion-builder-1.3.4-command-injection.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.schneider-electric.com/ww/en/download/document/sevd-2019-071-02"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-7841"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7841"
      },
      {
        "trust": 0.7,
        "url": "https://www.exploit-db.com/exploits/46846"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/89.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-7841"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-612"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7841"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "ab58dace-bec4-420e-bb16-b855ccecebc0"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-7841"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-612"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-7841"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-05-15T00:00:00",
        "db": "IVD",
        "id": "ab58dace-bec4-420e-bb16-b855ccecebc0"
      },
      {
        "date": "2019-05-15T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      },
      {
        "date": "2019-05-22T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-7841"
      },
      {
        "date": "2019-06-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      },
      {
        "date": "2019-05-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201905-612"
      },
      {
        "date": "2019-05-22T20:29:01.480000",
        "db": "NVD",
        "id": "CVE-2018-7841"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-05-15T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      },
      {
        "date": "2019-05-23T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-7841"
      },
      {
        "date": "2019-06-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-015483"
      },
      {
        "date": "2019-05-24T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201905-612"
      },
      {
        "date": "2024-11-21T04:12:51.587000",
        "db": "NVD",
        "id": "CVE-2018-7841"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-612"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Schneider Electric U.Motion Builder track_import_export.php object_id Unverified command injection vulnerability",
    "sources": [
      {
        "db": "IVD",
        "id": "ab58dace-bec4-420e-bb16-b855ccecebc0"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-14275"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SQL injection",
    "sources": [
      {
        "db": "IVD",
        "id": "ab58dace-bec4-420e-bb16-b855ccecebc0"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201905-612"
      }
    ],
    "trust": 0.8
  }
}

cnvd-2019-14275

Vulnerability from cnvd

Title

Schneider Electric U.Motion Builder track_import_export.php object_id未经验证命令注入漏洞

Description

U.motion Builder是法国施耐德电气（Schneider Electric）公司的一款生成器产品。 Schneider Electric U.Motion Builder track_import_export.php object_id存在安全漏洞。该漏洞是由于应用程序未能正确地验证和过滤此参数，攻击者可利用漏洞插入任意命令。

Severity

高

Formal description

该产品在通知供应商有关此问题不久已退役，因此不会发布任何修复程序： https://www.schneider-electric.com/ww/en/

Reference

https://seclists.org/fulldisclosure/2019/May/26

Impacted products

Name
Schneider Electric U.motion Builder <=1.3.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-7841"
    }
  },
  "description": "U.motion Builder\u662f\u6cd5\u56fd\u65bd\u8010\u5fb7\u7535\u6c14\uff08Schneider Electric\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u751f\u6210\u5668\u4ea7\u54c1\u3002\n\nSchneider Electric U.Motion Builder track_import_export.php object_id\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u5e94\u7528\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5730\u9a8c\u8bc1\u548c\u8fc7\u6ee4\u6b64\u53c2\u6570\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u63d2\u5165\u4efb\u610f\u547d\u4ee4\u3002",
  "discovererName": "Julien Ahrens",
  "formalWay": "\u8be5\u4ea7\u54c1\u5728\u901a\u77e5\u4f9b\u5e94\u5546\u6709\u5173\u6b64\u95ee\u9898\u4e0d\u4e45\u5df2\u9000\u5f79\uff0c\u56e0\u6b64\u4e0d\u4f1a\u53d1\u5e03\u4efb\u4f55\u4fee\u590d\u7a0b\u5e8f\uff1a\r\nhttps://www.schneider-electric.com/ww/en/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-14275",
  "openTime": "2019-05-15",
  "products": {
    "product": "Schneider Electric U.motion Builder \u003c=1.3.4"
  },
  "referenceLink": "https://seclists.org/fulldisclosure/2019/May/26",
  "serverity": "\u9ad8",
  "submitTime": "2019-05-15",
  "title": "Schneider Electric U.Motion Builder track_import_export.php object_id\u672a\u7ecf\u9a8c\u8bc1\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

ghsa-cwjr-6hc3-vpjm

Vulnerability from github

Published

2022-05-24 16:46

Modified

2025-10-22 00:31

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-7841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-22T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.",
  "id": "GHSA-cwjr-6hc3-vpjm",
  "modified": "2025-10-22T00:31:40Z",
  "published": "2022-05-24T16:46:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7841"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7841"
    },
    {
      "type": "WEB",
      "url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/May/26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2018-7841

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.

Aliases

CVE-2018-7841

Aliases

CVE-2018-7841

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-7841",
    "description": "A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.",
    "id": "GSD-2018-7841",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-7841"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-7841"
      ],
      "details": "A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.",
      "id": "GSD-2018-7841",
      "modified": "2023-12-13T01:22:32.459856Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cybersecurity@schneider-electric.com",
        "ID": "CVE-2018-7841",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "U.motion Builder software version 1.3.4",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "U.motion Builder software version 1.3.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "U.motion"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "SQL Injection"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html"
          },
          {
            "name": "20190514 [CVE-2018-7841] Schneider Electric U.Motion Builder \u003c= 1.3.4 track_import_export.php object_id Unauthenticated Command Injection",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2019/May/26"
          },
          {
            "name": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02",
            "refsource": "CONFIRM",
            "url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:schneider-electric:u.motion_builder:1.3.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "ID": "CVE-2018-7841"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02"
            },
            {
              "name": "20190514 [CVE-2018-7841] Schneider Electric U.Motion Builder \u003c= 1.3.4 track_import_export.php object_id Unauthenticated Command Injection",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/May/26"
            },
            {
              "name": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-05-23T15:02Z",
      "publishedDate": "2019-05-22T20:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2018-7841 (GCVE-0-2018-7841)

Vulnerability from cvelistv5

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

fkie_cve-2018-7841

Vulnerability from fkie_nvd

var-201905-1044

Vulnerability from variot

cnvd-2019-14275

Vulnerability from cnvd

ghsa-cwjr-6hc3-vpjm

Vulnerability from github

gsd-2018-7841

Vulnerability from gsd

Tags

Sightings

Nomenclature