CVE-2023-37198

CWE-94 — Code Injection3 documents3 sources

Severity

7.2HIGH

EPSS

2.2%

top 15.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric Struxureware Data Center Expert Schneider Electric Struxureware Data Center Expert

Timeline

PublishedJul 12

Description

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages2 packages

▶NVDschneider-electric/struxureware_data_center_expert7.9.3

▶CVEListV5schneider_electric/struxureware_data_center_expertv7.9.3 and earlier

🔴Vulnerability Details

CVEList

CVE-2023-37198: A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on↗2023-07-12

▶

GHSA

GHSA-8x4r-qjgj-932v: A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on↗2023-07-12

▶