CVE-2023-37197

CWE-89 — SQL Injection3 documents3 sources

Severity

8.8HIGH

EPSS

0.4%

top 38.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric Struxureware Data Center Expert Schneider Electric Struxureware Data Center Expert

Timeline

PublishedJul 12

Description

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the mass configuration settings of endpoints on DCE.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDschneider-electric/struxureware_data_center_expert7.9.3

▶CVEListV5schneider_electric/struxureware_data_center_expertv7.9.3 and earlier

🔴Vulnerability Details

CVEList

CVE-2023-37197: A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a u↗2023-07-12

▶

GHSA

GHSA-39jj-553f-8jjw: A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a u↗2023-07-12

▶