CVE-2023-37199 — Code Injection in Struxureware Data Center Expert

CWE-94 — Code Injection3 documents3 sources

Severity

7.2HIGHNVD

CNA6.8

EPSS

2.2%

top 15.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric Struxureware Data Center Expert Schneider Electric Struxureware Data Center Expert

Timeline

PublishedJul 12

Description

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDschneider-electric/struxureware_data_center_expert7.9.3

▶CVEListV5schneider_electric/struxureware_data_center_expertv7.9.3 and earlier

🔴Vulnerability Details

CVEList

CVE-2023-37199: A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on↗2023-07-12

▶

GHSA

GHSA-v4v5-38hc-7h56: A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on↗2023-07-12

▶