Lucene search

[email protected]CVE-2023-27984

HistoryMar 21, 2023 - 11:15 a.m.

CVE-2023-27984

2023-03-2111:15:10

CWE-20

[email protected]

web.nvd.nist.gov

improper input validation

remote code execution

custom reports

cve-2023-27984

nvd

igss data server

igss dashboard

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.0%

JSON

A CWE-20: Improper Input Validation vulnerability exists in Custom Reports that could cause a macro to be executed, potentially leading to remote code execution when a user opens a malicious report file planted by an attacker. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).

CPENameOperatorVersion
schneider-electric:custom_reportsschneider-electric custom reportsle16.0.0.23040
schneider-electric:custom_reportsschneider-electric custom reportseq16.0.0.23040
schneider-electric:igss_dashboardschneider-electric igss dashboardle16.0.0.23040
schneider-electric:igss_dashboardschneider-electric igss dashboardeq16.0.0.23040
schneider-electric:igss_dashboardschneider-electric igss dashboardeq-
schneider-electric:igss_data_serverschneider-electric igss data serverle16.0.0.23040
schneider-electric:igss_data_serverschneider-electric igss data servereq16.0.0.23040
schneider-electric:igss_data_serverschneider-electric igss data servereq15.0.0.22170

CPE	Name	Operator	Version
schneider-electric:custom_reports	schneider-electric custom reports	le	16.0.0.23040
schneider-electric:custom_reports	schneider-electric custom reports	eq	16.0.0.23040
schneider-electric:igss_dashboard	schneider-electric igss dashboard	le	16.0.0.23040
schneider-electric:igss_dashboard	schneider-electric igss dashboard	eq	16.0.0.23040
schneider-electric:igss_dashboard	schneider-electric igss dashboard	eq	-
schneider-electric:igss_data_server	schneider-electric igss data server	le	16.0.0.23040
schneider-electric:igss_data_server	schneider-electric igss data server	eq	16.0.0.23040
schneider-electric:igss_data_server	schneider-electric igss data server	eq	15.0.0.22170

References

download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-073-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-073-04.pdf

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.0%

JSON

Related for CVE-2023-27984

cvelist1 cnvd1 prion1 zdi1 ics1