CVE-2024-37038

CWE-276Incorrect Default Permissions3 documents3 sources
Severity
8.8HIGH
EPSS
0.4%
top 39.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Schneider-electric Sage RTU FirmwareSchneider Electric Sage 1410Schneider Electric Sage 1430+4 more
Timeline
PublishedJun 12

Description

CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages7 packages

NVDschneider-electric/sage_rtu_firmware< c3414-500-s02k5_p9
CVEListV5schneider_electric/sage_1410Versions C3414-500-S02K5_P8 and prior
CVEListV5schneider_electric/sage_1430Versions C3414-500-S02K5_P8 and prior
CVEListV5schneider_electric/sage_1450Versions C3414-500-S02K5_P8 and prior
CVEListV5schneider_electric/sage_2400Versions C3414-500-S02K5_P8 and prior

Patches

Patch: download.schneider-electric.comPatch: download.schneider-electric.com

🔴Vulnerability Details

2
CVEList
CVE-2024-37038: CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perfor2024-06-12
GHSA
GHSA-f3h5-qqxj-cvgg: CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perfor2024-06-12
CVE-2024-37038 (HIGH CVSS 8.8) | CWE-276: Incorrect Default Permissi | cvebase.io