CVE-2023-27977

CWE-3453 documents3 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 65.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider Electric Custom Reports (rms16.dll)Schneider Electric Igss Dashboard (dashboard.exe)Schneider Electric Igss Data Server(igssdataserver.exe)+3 more

Timeline

PublishedMar 21

Description

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS project report directory, this could lead to loss of data when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages6 packages

▶NVDschneider-electric/igss_data_server16.0.0.23040

▶CVEListV5schneider_electric/igss_data_server(igssdataserver.exe)V — 16.0.0.23040

▶NVDschneider-electric/igss_dashboard16.0.0.23040

▶CVEListV5schneider_electric/custom_reports_(rms16.dll)V — 16.0.0.23040

▶CVEListV5schneider_electric/igss_dashboard_(dashboard.exe)V — 16.0.0.23040

Patches

Patch: download.schneider-electric.com ↗Patch: download.schneider-electric.com ↗

🔴Vulnerability Details

GHSA

GHSA-8c9m-95jr-9f2r: A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS↗2023-03-21

▶

CVEList

CVE-2023-27977: A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS↗2023-03-21

▶