Schneider-Electric Ecostruxure Power Monitoring Expert vulnerabilities

CVE-2023-5986 [HIGH] CWE-601 CVE-2023-5986: A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect v A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the software’s web application to redirect to the chosen domain after a successful login is performed.

CVE-2023-5987 [MEDIUM] CWE-79 CVE-2023-5987: A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnera A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload.

CVE-2023-28003 [MEDIUM] CWE-613 CVE-2023-28003: A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to m A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account.

CVE-2022-22727 [HIGH] CWE-20 CVE-2022-22727: A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacke A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacker to view data, change settings, impact availability of the software, or potentially impact a user�s local machine when the user clicks a specially crafted link. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)

CVE-2022-22726 [MEDIUM] CWE-20 CVE-2022-22726: A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the ser A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)

CVE-2022-22804 [MEDIUM] CWE-79 CVE-2022-22804: A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulne A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload. Affected Product: EcoStruxure Power Monitoring Expert (Version

CVE-2021-22826 [HIGH] CWE-20 CVE-2021-22826: A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution w A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution when the user visits a page containing the injected payload. This CVE is unique from CVE-2021-22827. Affected Product: EcoStruxure� Power Monitoring Expert 9.0 and prior versions

CVE-2021-22827 [HIGH] CVE-2021-22827: A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution w A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution when the user visits a page containing the injected payload. This CVE is unique from CVE-2021-22826. Affected Product: EcoStruxure� Power Monitoring Expert 9.0 and prior versions

CVE-2020-7545 [HIGH] CWE-284 CVE-2020-7545: A CWE-284:Improper Access Control vulnerability exists in EcoStruxureª and SmartStruxureª Power Moni A CWE-284:Improper Access Control vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow for arbitrary code execution on the server when an authorized user access an affected webpage.

CVE-2020-7547 [HIGH] CWE-284 CVE-2020-7547: A CWE-284: Improper Access Control vulnerability exists in EcoStruxureª and SmartStruxureª Power Mon A CWE-284: Improper Access Control vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow a user the ability to perform actions via the web interface at a higher privilege level.

CVE-2020-7546 [MEDIUM] CWE-79 CVE-2020-7546: A CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability exists in EcoStr A CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow an attacker to perform actions on behalf of the authorized user when accessing an affected webpage.

CVE-2018-7797 [MEDIUM] CWE-601 CVE-2018-7797: A URL redirection vulnerability exists in Power Monitoring Expert, Energy Expert (formerly Power Man A URL redirection vulnerability exists in Power Monitoring Expert, Energy Expert (formerly Power Manager) - EcoStruxure Power Monitoring Expert (PME) v8.2 (all editions), EcoStruxure Energy Expert 1.3 (formerly Power Manager), EcoStruxure Power SCADA Operation (PSO) 8.2 Advanced Reports and Dashboards Module, EcoStruxure Power Monitoring Expert (PME)