CVE-2023-1049

Published: Jun 14, 2023Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI.

Affected (6)

Products: Schneider Electric: Ecostruxure Operator Terminal Expert, Pro Face Blue

Schneider Electric

2 products

Ecostruxure Operator Terminal Expert

Pro Face Blue

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Schneider Electric Ecostruxure Operator Terminal Expert	Before 3.3
Schneider Electric Ecostruxure Operator Terminal Expert	Version 3.3
Schneider Electric Ecostruxure Operator Terminal Expert	Version 3.3 sp1
Schneider Electric Pro Face Blue	Before 3.3
Schneider Electric Pro Face Blue	Version 3.3
Schneider Electric Pro Face Blue	Version 3.3 sp1

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-164-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-164-01.pdf

Source: cybersecurity@se.com

Vendor Advisory

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-164-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-164-01.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.