Schneider Electric Struxureware Data Center Expert vulnerabilities
15 known vulnerabilities affecting schneider_electric/struxureware_data_center_expert.
Total CVEs
15
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH8MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2023-37199HIGHCVSS 7.2vv7.9.3 and earlier2023-07-12
CVE-2023-37199 [HIGH] CWE-94 CVE-2023-37199:
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could cause remote code execution when an admin user on DCE tampers with backups which
are then manually restored.
cvelistv5nvd
CVE-2023-37198HIGHCVSS 7.2vv7.9.3 and earlier2023-07-12
CVE-2023-37198 [HIGH] CWE-94 CVE-2023-37198:
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
c
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
could cause remote code execution when an admin user on DCE uploads or tampers with install
packages.
cvelistv5nvd
CVE-2023-37197HIGHCVSS 8.8vv7.9.3 and earlier2023-07-12
CVE-2023-37197 [HIGH] CWE-89 CVE-2023-37197:
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to
access unauthorized content, change, or delete content, or perform unauthorized actions when
tampering with the mass configuration settings of endpoints on DCE.
cvelistv5nvd
CVE-2023-37196HIGHCVSS 8.8vv7.9.3 and earlier2023-07-12
CVE-2023-37196 [HIGH] CWE-89 CVE-2023-37196:
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL In
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to
access unauthorized content, change, or delete content, or perform unauthorized actions when
tampering with the alert settings of endpoints on DCE.
cvelistv5nvd
CVE-2023-25549CRITICALCVSS 9.8≥ All, ≤ V7.9.22023-04-18
CVE-2023-25549 [CRITICAL] CWE-94 CVE-2023-25549:
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
allows for remote code execution when using a parameter of the DCE network settings
endpoint.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
cvelistv5nvd
CVE-2023-25550CRITICALCVSS 9.8≥ All, ≤ V7.9.22023-04-18
CVE-2023-25550 [CRITICAL] CWE-94 CVE-2023-25550:
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists th
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that
allows remote code execution via the “hostname” parameter when maliciously crafted hostname
syntax is entered.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
cvelistv5nvd
CVE-2023-25552HIGHCVSS 8.1≥ All, ≤ V7.9.22023-04-18
CVE-2023-25552 [HIGH] CWE-862 CVE-2023-25552:
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized
co
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized
content, changes or deleting of content, or performing unauthorized functions when tampering
the Device File Transfer settings on DCE endpoints.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
cvelistv5nvd
CVE-2023-25555HIGHCVSS 8.1≥ All, ≤ V7.9.22023-04-18
CVE-2023-25555 [HIGH] CWE-78 CVE-2023-25555:
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS
Comm
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS
Command Injection') vulnerability exists that could allow a user that knows the credentials to
execute unprivileged shell commands on the appliance over SSH.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
cvelistv5nvd
CVE-2023-25547HIGHCVSS 8.8≥ All, ≤ V7.9.22023-04-18
CVE-2023-25547 [HIGH] CWE-863 CVE-2023-25547:
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution
on u
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution
on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
cvelistv5nvd
CVE-2023-25554HIGHCVSS 7.8≥ All, ≤ V7.9.22023-04-18
CVE-2023-25554 [HIGH] CWE-78 CVE-2023-25554:
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS
Command Inject
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS
Command Injection') vulnerability exists that allows a local privilege escalation on the appliance
when a maliciously crafted Operating System command is entered on the device.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
cvelistv5nvd
CVE-2023-25551MEDIUMCVSS 6.1≥ All, ≤ V7.9.22023-04-18
CVE-2023-25551 [MEDIUM] CWE-79 CVE-2023-25551:
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Script
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters
over HTTP.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
cvelistv5nvd
CVE-2023-25553MEDIUMCVSS 6.1≥ All, ≤ V7.9.22023-04-18
CVE-2023-25553 [MEDIUM] CWE-79 CVE-2023-25553:
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scri
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the
webserver.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
cvelistv5nvd
CVE-2023-25548MEDIUMCVSS 6.5≥ All, ≤ V7.9.22023-04-18
CVE-2023-25548 [MEDIUM] CWE-863 CVE-2023-25548:
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device
credentia
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device
credentials on specific DCE endpoints not being properly secured when a hacker is using a low
privileged user.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
cvelistv5nvd
CVE-2021-22795CRITICALCVSS 9.8≥ unspecified, < V7.8.12022-04-13
CVE-2021-22795 [CRITICAL] CWE-78 CVE-2021-22795: A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when performed over the network. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)
cvelistv5nvd
CVE-2021-22794CRITICALCVSS 9.8≥ unspecified, < V7.8.12022-04-13
CVE-2021-22794 [CRITICAL] CWE-22 CVE-2021-22794: A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerabilit
A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)
cvelistv5nvd