CVE-2017-9956

CWE-798Hard-coded Credentials4 documents4 sources
Severity
7.3HIGH
EPSS
0.5%
top 34.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Schneider-electric U.motion BuilderSchneider Electric SE U.motion
Timeline
PublishedSep 26
Latest updateMay 17

Description

An authentication bypass vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system contains a hard-coded valid session. An attacker can use that session ID as part of the HTTP cookie of a web request, resulting in authentication bypass

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages2 packages

CVEListV5schneider_electric_se/u.motionU.motion Builder Versions 1.2.1 and prior.

🔴Vulnerability Details

2
GHSA
GHSA-w5f6-9h7r-9v63: An authentication bypass vulnerability exists in Schneider Electric's U2022-05-17
CVEList
CVE-2017-9956: An authentication bypass vulnerability exists in Schneider Electric's U2017-09-25

💬Community

1
Bugzilla
CVE-2016-9956 FlightGear: Route manager allows overwrite of arbitrary files2016-12-16
CVE-2017-9956 (HIGH CVSS 7.3) | An authentication bypass vulnerabil | cvebase.io