Schneider-Electric Easy Ups Online Monitoring Software vulnerabilities

CVE-2023-6407 [MEDIUM] CWE-22 CVE-2023-6407: A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerabil A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker.

CVE-2023-29411 [CRITICAL] CWE-306 CVE-2023-29411: A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow chang A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface.

CVE-2023-29412 [CRITICAL] CWE-78 CVE-2023-29412: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') v CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface.

CVE-2023-29413 [HIGH] CWE-306 CVE-2023-29413: A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denia A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service.

CVE-2022-42971 [CRITICAL] CWE-434 CVE-2022-42971: A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause rem A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software

CVE-2022-42970 [CRITICAL] CWE-306 CVE-2022-42970: A CWE-306: Missing Authentication for Critical Function The software does not perform any authentica A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA)

CVE-2022-42973 [HIGH] CWE-798 CVE-2022-42973: A CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause local privilege escal A CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause local privilege escalation when local attacker connects to the database. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Window

CVE-2022-42972 [HIGH] CWE-732 CVE-2022-42972: A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could cau A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could cause local privilege escalation when a local attacker modifies the webroot directory. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitor