CVE-2023-27980

2023-03-2106:15:13

CWE-306

[email protected]

web.nvd.nist.gov

vulnerability

remote code execution

igss data server

igss dashboard

custom reports

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.004

Percentile

74.0%

JSON

A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface that could allow the creation of a malicious report file in the IGSS project report directory, this could lead to remote code execution when a victim eventually opens the report. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior)

Affected configurations

Nvd

Node

schneider-electriccustom_reportsRange≤16.0.0.23040

schneider-electricigss_dashboardRange≤16.0.0.23040

schneider-electricigss_data_serverRange≤16.0.0.23040

VendorProductVersionCPE
schneider-electriccustom_reports*cpe:2.3:a:schneider-electric:custom_reports:*:*:*:*:*:*:*:*
schneider-electricigss_dashboard*cpe:2.3:a:schneider-electric:igss_dashboard:*:*:*:*:*:*:*:*
schneider-electricigss_data_server*cpe:2.3:a:schneider-electric:igss_data_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
schneider-electric	custom_reports	*	cpe:2.3:a:schneider-electric:custom_reports::::::::
schneider-electric	igss_dashboard	*	cpe:2.3:a:schneider-electric:igss_dashboard::::::::
schneider-electric	igss_data_server	*	cpe:2.3:a:schneider-electric:igss_data_server::::::::