Lucene search

SchneiderCVELIST:CVE-2024-37038

HistoryJun 12, 2024 - 4:51 p.m.

CVE-2024-37038

2024-06-1216:51:55

CWE-276

schneider

www.cve.org

default permissions

unauthorized uploads

authenticated user

web interface

custom web requests

cwe-276

cve-2024-37038

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated
user with access to the device’s web interface to perform unauthorized file and firmware
uploads when crafting custom web requests.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Sage 1410",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "status": "affected",
        "version": "Versions C3414-500-S02K5_P8 and prior"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Sage 1430",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "status": "affected",
        "version": "Versions C3414-500-S02K5_P8 and prior"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Sage 1450",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "status": "affected",
        "version": "Versions C3414-500-S02K5_P8 and prior"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Sage 2400",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "status": "affected",
        "version": "Versions C3414-500-S02K5_P8 and prior"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Sage 3030 Magnum",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "status": "affected",
        "version": "Versions C3414-500-S02K5_P8 and prior"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Sage 4400",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "status": "affected",
        "version": "Versions C3414-500-S02K5_P8 and prior"
      }
    ]
  }
]

References

download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-37038