Product:

Ecostruxure_power_monitoring_expert

(Schneider\-Electric)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 13
Date Id Summary Products Score Patch Annotated
2020-12-01 CVE-2020-7547 A CWE-284: Improper Access Control vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow a user the ability to perform actions via the web interface at a higher privilege level. Ecostruxure_energy_expert, Ecostruxure_power_monitoring_expert, Power_manager, Powerscada_expert_with_advanced_reporting_and_dashboards, Powerscada_operation_with_advanced_reporting_and_dashboards 8.8
2022-01-28 CVE-2021-22826 A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution when the user visits a page containing the injected payload. This CVE is unique from CVE-2021-22827. Affected Product: EcoStruxure? Power Monitoring Expert 9.0 and prior versions Ecostruxure_power_monitoring_expert 8.8
2022-01-28 CVE-2021-22827 A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution when the user visits a page containing the injected payload. This CVE is unique from CVE-2021-22826. Affected Product: EcoStruxure? Power Monitoring Expert 9.0 and prior versions Ecostruxure_power_monitoring_expert 8.8
2022-02-04 CVE-2022-22726 A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior) Ecostruxure_power_monitoring_expert 6.5
2022-02-04 CVE-2022-22727 A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacker to view data, change settings, impact availability of the software, or potentially impact a user?s local machine when the user clicks a specially crafted link. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior) Ecostruxure_power_monitoring_expert 8.8
2022-02-04 CVE-2022-22804 A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior) Ecostruxure_power_monitoring_expert 5.4
2023-04-18 CVE-2023-28003 A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account. Ecostruxure_power_monitoring_expert 8.8
2023-10-04 CVE-2023-5391 A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application. Ecostruxure_power_monitoring_expert, Ecostruxure_power_operation_with_advanced_reports, Ecostruxure_power_scada_operation_with_advanced_reports 9.8
2023-11-15 CVE-2023-5986 A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the software’s web application to redirect to the chosen domain after a successful login is performed. Ecostruxure_power_monitoring_expert 6.1
2023-11-15 CVE-2023-5987 A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload. Ecostruxure_power_monitoring_expert 6.1