CVE-2024-37038

Published: Jun 12, 2024Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.

Affected (1)

Products: Schneider Electric: Sage Rtu Firmware

Schneider Electric

1 product

Sage Rtu Firmware

Configuration A

1 vulnerable · 6 platform

Vulnerable Software	Affected Versions
Schneider Electric Sage Rtu Firmware	Before c3414-500-s02k5_p9

Running on/with	Platform Versions
Schneider Electric Sage 1410	All versions
Schneider Electric Sage 1430	All versions
Schneider Electric Sage 1450	All versions
Schneider Electric Sage 2400	All versions
Schneider Electric Sage 3030 Magnum	All versions
Schneider Electric Sage 4400	All versions

Related CWEs

CWE-276

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (2)

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf

Source: cybersecurity@se.com

PatchVendor Advisory

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.