Schneider Electric Pro-Face Blue vulnerabilities

CVE-2023-1049 [HIGH] CWE-94 CVE-2023-1049: A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI.

CVE-2022-41667 [HIGH] CWE-22 CVE-2022-41667: A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerabili A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).

CVE-2022-41671 [HIGH] CWE-89 CVE-2022-41671: A CWE-89: Improper Neutralization of Special Elements used in SQL Command (‘SQL Injection’) vulnerab A CWE-89: Improper Neutralization of Special Elements used in SQL Command (‘SQL Injection’) vulnerability exists that allows adversaries with local user privileges to craft a malicious SQL query and execute as part of project migration which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix

CVE-2022-41670 [HIGH] CWE-22 CVE-2022-41670: A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerabili A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BL

CVE-2022-41669 [HIGH] CWE-347 CVE-2022-41669: A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists in the SGIUtility c A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load a malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).

CVE-2022-41666 [HIGH] CWE-347 CVE-2022-41666: A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that allows adversa A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).

CVE-2022-41668 [HIGH] CWE-704 CVE-2022-41668: A CWE-704: Incorrect Project Conversion vulnerability exists that allows adversaries with local user A CWE-704: Incorrect Project Conversion vulnerability exists that allows adversaries with local user privileges to load a project file from an adversary-controlled network share which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).