CVE-2023-27982

2023-03-2107:15:08

CWE-345

[email protected]

web.nvd.nist.gov

cwe-345

data server

igss project

remote code execution

dashboard files

tcp port

vulnerability

custom reports

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.004

Percentile

74.4%

JSON

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code execution when a victim eventually opens a malicious dashboard file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).

Affected configurations

Nvd

Node

schneider-electriccustom_reportsRange≤16.0.0.23040

schneider-electricigss_dashboardRange≤16.0.0.23040

schneider-electricigss_data_serverRange≤16.0.0.23040

VendorProductVersionCPE
schneider-electriccustom_reports*cpe:2.3:a:schneider-electric:custom_reports:*:*:*:*:*:*:*:*
schneider-electricigss_dashboard*cpe:2.3:a:schneider-electric:igss_dashboard:*:*:*:*:*:*:*:*
schneider-electricigss_data_server*cpe:2.3:a:schneider-electric:igss_data_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
schneider-electric	custom_reports	*	cpe:2.3:a:schneider-electric:custom_reports::::::::
schneider-electric	igss_dashboard	*	cpe:2.3:a:schneider-electric:igss_dashboard::::::::
schneider-electric	igss_data_server	*	cpe:2.3:a:schneider-electric:igss_data_server::::::::