cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score CVE-2024-8530,https://securityvulnerability.io/vulnerability/CVE-2024-8530,Authentication Flaw in Schneider Electric’s Logcapture Feature,"A significant vulnerability has been identified in Schneider Electric’s Logcapture feature, categorized as missing authentication for critical function (CWE-306). This flaw potentially exposes sensitive user data when unauthorized individuals can directly access previously generated 'logcaptures' archives via HTTPS. Organizations utilizing affected versions of Logcapture must take immediate action to apply necessary security patches and enhance their authentication protocols to mitigate risks associated with unauthorized data exposure.",Schneider Electric,Data Center Expert,5.9,MEDIUM,0.0006500000017695129,false,false,false,false,,false,false,2024-10-11T13:55:30.353Z,0 CVE-2024-8531,https://securityvulnerability.io/vulnerability/CVE-2024-8531,Manipulation of Upgrade Bundles Could Compromise Root Access,"A vulnerability exists within Schneider Electric's Data Center Expert software that pertains to improper verification of cryptographic signatures. This issue arises when upgrade bundles are manipulated to contain arbitrary bash scripts, which can then be executed with root privileges. Such a flaw raises significant security concerns, as it potentially allows unauthorized code execution, leading to system compromise and data integrity issues. Organizations utilizing this software should assess their security posture and implement necessary measures to mitigate risks associated with this vulnerability.",Schneider Electric,Data Center Expert,7.2,HIGH,0.0006500000017695129,false,false,false,false,,false,false,2024-10-11T13:50:31.474Z,0 CVE-2023-37199,https://securityvulnerability.io/vulnerability/CVE-2023-37199,," A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. ",Schneider Electric,Struxureware Data Center Expert,6.8,MEDIUM,0.0010600000387057662,false,false,false,false,,false,false,2023-07-12T08:15:00.000Z,0 CVE-2023-37196,https://securityvulnerability.io/vulnerability/CVE-2023-37196,SQL Injection Vulnerability in DCE by Schneider Electric,"A vulnerability exists within Schneider Electric's DCE (Data Center Expert) that is characterized as an improper neutralization of special elements in an SQL command, commonly known as SQL injection. This flaw permits authenticated users to access unauthorized content, modify or delete data, and execute actions beyond their intended privileges when manipulating alert settings for endpoints in DCE.",Schneider Electric,Struxureware Data Center Expert,8.8,HIGH,0.0006000000284984708,false,false,false,false,,false,false,2023-07-12T07:15:00.000Z,0 CVE-2023-37198,https://securityvulnerability.io/vulnerability/CVE-2023-37198,," A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages. ",Schneider Electric,Struxureware Data Center Expert,6.8,MEDIUM,0.0010600000387057662,false,false,false,false,,false,false,2023-07-12T07:15:00.000Z,0 CVE-2023-37197,https://securityvulnerability.io/vulnerability/CVE-2023-37197,SQL Injection Vulnerability in Schneider Electric's DCE,"An SQL Injection vulnerability exists in Schneider Electric's DCE that can be exploited by an authenticated user. This flaw enables the attacker to manipulate configuration settings, potentially allowing unauthorized access to sensitive content, alterations to existing data, or deletion of critical information. Users must be cautious as the manipulation of mass settings can lead to severe security breaches if left unaddressed.",Schneider Electric,Struxureware Data Center Expert,8.8,HIGH,0.0006000000284984708,false,false,false,false,,false,false,2023-07-12T07:15:00.000Z,0 CVE-2023-25552,https://securityvulnerability.io/vulnerability/CVE-2023-25552,Missing Authorization Vulnerability in StruxureWare Data Center Expert by Schneider Electric,"A missing authorization vulnerability has been identified in StruxureWare Data Center Expert, which could enable unauthorized users to view sensitive content, modify, or delete critical data. This issue arises from the manipulation of Device File Transfer settings on DCE endpoints, allowing potential adversaries to perform unauthorized actions. Users are advised to review their configurations and implement necessary security measures to mitigate exposure.",Schneider Electric,StruxureWare Data Center Expert,8.1,HIGH,0.000590000010561198,false,false,false,false,,false,false,2023-04-18T21:15:00.000Z,0 CVE-2023-25548,https://securityvulnerability.io/vulnerability/CVE-2023-25548,," A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) ",Schneider Electric,StruxureWare Data Center Expert,6.5,MEDIUM,0.000590000010561198,false,false,false,false,,false,false,2023-04-18T21:15:00.000Z,0 CVE-2023-25549,https://securityvulnerability.io/vulnerability/CVE-2023-25549,Remote Code Execution Vulnerability in StruxureWare by Schneider Electric,"A vulnerability exists in StruxureWare Data Center Expert that enables attackers to execute arbitrary code remotely through improper control of the DCE network settings parameter. This flaw, categorized as CWE-94: Improper Control of Generation of Code ('Code Injection'), poses significant security risks, allowing unauthorized users to take control of the affected system. Effective measures should be implemented to mitigate these risks and secure your infrastructure.",Schneider Electric,StruxureWare Data Center Expert,9.8,CRITICAL,0.00279000005684793,false,false,false,false,,false,false,2023-04-18T21:15:00.000Z,0 CVE-2023-25550,https://securityvulnerability.io/vulnerability/CVE-2023-25550,Code Injection Vulnerability in StruxureWare Data Center Expert by Schneider Electric,"A code injection vulnerability exists in StruxureWare Data Center Expert that enables remote code execution through the manipulation of the 'hostname' parameter. Attackers can exploit this vulnerability by submitting specially crafted inputs, leading to unauthorized execution of arbitrary code within the affected system.",Schneider Electric,StruxureWare Data Center Expert,9.8,CRITICAL,0.00279000005684793,false,false,false,false,,false,false,2023-04-18T21:15:00.000Z,0 CVE-2023-25553,https://securityvulnerability.io/vulnerability/CVE-2023-25553,," A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) ",Schneider Electric,StruxureWare Data Center Expert,6.1,MEDIUM,0.0005600000149570405,false,false,false,false,,false,false,2023-04-18T21:15:00.000Z,0 CVE-2023-25554,https://securityvulnerability.io/vulnerability/CVE-2023-25554,OS Command Injection Vulnerability in StruxureWare Data Center Expert by Schneider Electric,"An OS Command Injection vulnerability has been discovered in StruxureWare Data Center Expert that allows attackers to escalate their privileges locally by executing specially crafted operating system commands. This vulnerability highlights the importance of securing application inputs to prevent unauthorized command execution, which could potentially compromise the integrity and confidentiality of the affected system.",Schneider Electric,StruxureWare Data Center Expert,7.8,HIGH,0.00044999999227002263,false,false,false,false,,false,false,2023-04-18T21:15:00.000Z,0 CVE-2023-25555,https://securityvulnerability.io/vulnerability/CVE-2023-25555,OS Command Injection Vulnerability in StruxureWare Data Center Expert by Schneider Electric,"An OS Command Injection vulnerability exists in StruxureWare Data Center Expert, enabling authenticated users to execute unprivileged shell commands via SSH. This security flaw arises from improper handling of special elements, allowing an attacker with valid credentials to exploit the system. It is crucial for users to apply necessary security patches and mitigate potential risks connected with this vulnerability.",Schneider Electric,StruxureWare Data Center Expert,8.1,HIGH,0.001019999966956675,false,false,false,false,,false,false,2023-04-18T21:15:00.000Z,0 CVE-2023-25547,https://securityvulnerability.io/vulnerability/CVE-2023-25547,Incorrect Authorization in StruxureWare Data Center Expert by Schneider Electric,"An incorrect authorization vulnerability has been identified in StruxureWare Data Center Expert, enabling attackers with limited privileges to execute remote code. This risk arises when malicious users exploit weaknesses in the system, allowing unauthorized operations during the upload and installation of packages. Proper security measures and updates are essential for safeguarding against potential exploitation.",Schneider Electric,StruxureWare Data Center Expert,8.8,HIGH,0.001509999972768128,false,false,false,false,,false,false,2023-04-18T21:15:00.000Z,0 CVE-2023-25551,https://securityvulnerability.io/vulnerability/CVE-2023-25551,," A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) ",Schneider Electric,StruxureWare Data Center Expert,6.1,MEDIUM,0.0005600000149570405,false,false,false,false,,false,false,2023-04-18T21:15:00.000Z,0 CVE-2022-32518,https://securityvulnerability.io/vulnerability/CVE-2022-32518,Insufficiently Protected Credentials in Data Center Expert by Schneider Electric,"A vulnerability exists in Data Center Expert where insufficiently protected credentials can allow unauthorized access to a DCE instance via network interactions by a malicious third-party. This security flaw highlights the importance of securing authentication processes to prevent unauthorized access to sensitive data and functionalities within the application. Users of affected versions, specifically those prior to V7.9.0, are urged to update to mitigate this security risk.",Schneider Electric,Data Center Expert,8,HIGH,0.002630000002682209,false,false,false,false,,false,false,2023-01-30T00:00:00.000Z,0 CVE-2022-32519,https://securityvulnerability.io/vulnerability/CVE-2022-32519,Password Storage Vulnerability in Data Center Expert by Schneider Electric,"A vulnerability exists in Schneider Electric’s Data Center Expert, where passwords are stored in a recoverable format. This can lead to unauthorized access to a DCE instance if exploited by a malicious third-party over a network connection. It is crucial for users of affected versions to update to version V7.9.0 or later to mitigate this risk and enhance the security posture of their data center management.",Schneider Electric,Data Center Expert,8,HIGH,0.002630000002682209,false,false,false,false,,false,false,2023-01-30T00:00:00.000Z,0 CVE-2022-32521,https://securityvulnerability.io/vulnerability/CVE-2022-32521,Deserialization Vulnerability in Data Center Expert by Schneider Electric,"A vulnerability exists within Schneider Electric's Data Center Expert that involves the deserialization of untrusted data. This flaw could be exploited by an attacker to execute arbitrary code on the server when unsafe data is posted to the web application. This risk is particularly pronounced in versions prior to V7.9.0, emphasizing the importance of updates and maintaining security best practices to mitigate exploitation risks.",Schneider Electric,Data Center Expert,7.1,HIGH,0.0010999999940395355,false,false,false,false,,false,false,2023-01-30T00:00:00.000Z,0 CVE-2022-32520,https://securityvulnerability.io/vulnerability/CVE-2022-32520,Insufficiently Protected Credentials Vulnerability in Data Center Expert by Schneider Electric,"A vulnerability exists in Schneider Electric's Data Center Expert that exposes sensitive credentials inadequately protected, enabling unauthorized access to a DCE instance through network exploitation by malicious actors. The issue specifically affects versions prior to V7.9.0, distinguishing it from similar vulnerabilities. Users are advised to upgrade to the latest version to mitigate potential security risks.",Schneider Electric,Data Center Expert,8,HIGH,0.002630000002682209,false,false,false,false,,false,false,2023-01-30T00:00:00.000Z,0 CVE-2021-22795,https://securityvulnerability.io/vulnerability/CVE-2021-22795,,A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when performed over the network. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior),Schneider Electric,Struxureware Data Center Expert,9.1,CRITICAL,0.0053900000639259815,false,false,false,false,,false,false,2022-04-13T16:15:00.000Z,0 CVE-2021-22794,https://securityvulnerability.io/vulnerability/CVE-2021-22794,,A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior),Schneider Electric,Struxureware Data Center Expert,9.1,CRITICAL,0.012620000168681145,false,false,false,false,,false,false,2022-04-13T16:15:00.000Z,0 CVE-2018-7807,https://securityvulnerability.io/vulnerability/CVE-2018-7807,,"Data Center Expert, versions 7.5.0 and earlier, allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allow for the arbitrary upload of files contained with the zip onto the server file system outside of the intended directory. This is leveraging the more commonly known ZipSlip vulnerability within Java code.",Schneider Electric,Data Center Expert Versions 7.5.0 And Earlier,8.8,HIGH,0.0008999999845400453,false,false,false,false,,false,false,2018-11-30T19:00:00.000Z,0 CVE-2017-8371,https://securityvulnerability.io/vulnerability/CVE-2017-8371,,"Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors.",Schneider Electric,Struxureware Data Center Expert,6.8,MEDIUM,0.0007399999885819852,false,false,false,false,,false,false,2017-04-30T20:59:00.000Z,0