CVE-2023-27982

CWE-3453 documents3 sources

Severity

8.8HIGH

EPSS

0.4%

top 40.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider Electric Custom Reports (rms16.dll)Schneider Electric Igss Dashboard (dashboard.exe)Schneider Electric Igss Data Server(igssdataserver.exe)+3 more

Timeline

PublishedMar 21

Description

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code execution when a victim eventually opens a malicious dashboard file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior),…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶NVDschneider-electric/igss_data_server16.0.0.23040

▶CVEListV5schneider_electric/igss_data_server(igssdataserver.exe)V — 16.0.0.23040

▶NVDschneider-electric/igss_dashboard16.0.0.23040

▶CVEListV5schneider_electric/igss_dashboard_(dashboard.exe)V — 16.0.0.23040

▶CVEListV5schneider_electric/custom_reports_(rms16.dll)V — 16.0.0.23040

Patches

Patch: download.schneider-electric.com ↗Patch: download.schneider-electric.com ↗

🔴Vulnerability Details

CVEList

CVE-2023-27982: A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in↗2023-03-21

▶

GHSA

GHSA-rw32-ghjc-99g6: A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in↗2023-03-21

▶