Schneider-Electric Interactive Graphical Scada System vulnerabilities

CVE-2023-4516 [HIGH] CWE-306 CVE-2023-4516: A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Ser A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Service that could allow a local attacker to change update source, potentially leading to remote code execution when the attacker force an update containing malicious content.

CVE-2022-2329 [CRITICAL] CWE-190 CVE-2022-2329: A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer ov A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22073)

CVE-2022-24324 [CRITICAL] CWE-120 CVE-2022-24324: A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack- A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22073)

CVE-2022-32528 [HIGH] CWE-306 CVE-2022-32528: A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause acces A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause access to manipulate and read specific files in the IGSS project report directory, potentially leading to a denial-of-service condition when an attacker sends specific messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.

CVE-2022-32525 [CRITICAL] CWE-120 CVE-2022-32525: A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack- A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted alarm data messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32529 [CRITICAL] CWE-120 CVE-2022-32529: A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack- A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted log data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32523 [CRITICAL] CWE-120 CVE-2022-32523: A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack- A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted online data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32527 [CRITICAL] CWE-120 CVE-2022-32527: A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack- A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted alarm cache data messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32526 [CRITICAL] CWE-120 CVE-2022-32526: A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack- A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted setting value messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32522 [CRITICAL] CWE-120 CVE-2022-32522: A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack- A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted mathematically reduced data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2022-32524 [CRITICAL] CWE-120 CVE-2022-32524: A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack- A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted time reduced data messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

CVE-2021-22757 [HIGH] CWE-125 CVE-2021-22757: A CWE-125: Out-of-bounds read vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and pri A CWE-125: Out-of-bounds read vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and prior that could result in disclosure of information or remote code execution due to lack of sanity checks on user-supplied input data, when a malicious CGF file is imported to IGSS Definition.

CVE-2021-22752 [HIGH] CWE-787 CVE-2021-22752: A CWE-787: Out-of-bounds write vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and pr A CWE-787: Out-of-bounds write vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and prior that could result in loss of data or remote code execution due to missing size checks, when a malicious WSP (Workspace) file is being parsed by IGSS Definition.

CVE-2021-22754 [HIGH] CWE-787 CVE-2021-22754: A CWE-787: Out-of-bounds write vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and pr A CWE-787: Out-of-bounds write vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and prior that could result in loss of data or remote code execution due to lack of proper validation of user-supplied data, when a malicious CGF file is imported to IGSS Definition.

CVE-2021-22761 [HIGH] CWE-119 CVE-2021-22761: A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exi A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and prior that could result in disclosure of information or remote code e+F15xecution due to missing length check on user supplied data, when a malicious CGF file is imported to IGSS Definition.

CVE-2021-22755 [HIGH] CWE-787 CVE-2021-22755: A CWE-787: Out-of-bounds write vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and pr A CWE-787: Out-of-bounds write vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and prior that could result in disclosure of information or remote code execution due to lack of sanity checks on user-supplied data, when a malicious CGF file is imported to IGSS Definition.

CVE-2021-22758 [HIGH] CWE-824 CVE-2021-22758: A CWE-824: Access of uninitialized pointer vulnerability exists inIGSS Definition (Def.exe) V15.0.0. A CWE-824: Access of uninitialized pointer vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and prior that could result in loss of data or remote code execution due to lack validation of user-supplied input data, when a malicious CGF file is imported to IGSS Definition.

CVE-2021-22751 [HIGH] CWE-787 CVE-2021-22751: A CWE-787: Out-of-bounds write vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and pr A CWE-787: Out-of-bounds write vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and prior that could result in disclosure of information or execution of arbitrary code due to lack of input validation, when a malicious CGF (Configuration Group File) file is imported to IGSS Definition.

CVE-2021-22753 [HIGH] CWE-125 CVE-2021-22753: A CWE-125: Out-of-bounds read vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and pri A CWE-125: Out-of-bounds read vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and prior that could result in loss of data or remote code execution due to missing length checks, when a malicious WSP file is being parsed by IGSS Definition.

CVE-2021-22756 [HIGH] CWE-125 CVE-2021-22756: A CWE-125: Out-of-bounds read vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and pri A CWE-125: Out-of-bounds read vulnerability exists inIGSS Definition (Def.exe) V15.0.0.21140 and prior that could result in disclosure of information or remote code execution due to lack of user-supplied data validation, when a malicious CGF file is imported to IGSS Definition.