CVE-2023-27979 — Insufficient Verification of Data Authenticity in Electric Custom Reports

CWE-345 — Insufficient Verification of Data Authenticity3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 63.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider Electric Custom Reports Schneider Electric Igss Dashboard Schneider Electric Igss Data Server +3 more

Timeline

PublishedMar 21

Description

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS project report directory, this could lead to denial of service when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages6 packages

▶CVEListV5schneider_electric/igss_data_serverV — 16.0.0.23040

▶NVDschneider-electric/igss_data_server16.0.0.23040

▶CVEListV5schneider_electric/igss_dashboardV — 16.0.0.23040

▶NVDschneider-electric/igss_dashboard16.0.0.23040

▶CVEListV5schneider_electric/custom_reportsV — 16.0.0.23040

Patches

Patch: download.schneider-electric.com ↗Patch: download.schneider-electric.com ↗

🔴Vulnerability Details

CVEList

CVE-2023-27979: A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS p↗2023-03-21

▶

GHSA

GHSA-pfhh-873g-hhx7: A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS p↗2023-03-21

▶