Struxureware Data Center Expert Security Vulnerabilities
Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors.
6.8CVSS
6.3AI Score
0.001EPSS
procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. This allows a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution...
7.8CVSS
8.3AI Score
0.0005EPSS
procps-ng before version 3.3.15 is vulnerable to an incorrect integer size in proc/alloc.* leading to truncation/integer overflow issues. This flaw is related to CVE-2018-1124.
9.8CVSS
7.7AI Score
0.005EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attac...
3.7CVSS
3.8AI Score
0.002EPSS
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols...
6.5CVSS
5.5AI Score
0.003EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: LDAP). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows low privileged attacker with...
4.3CVSS
4.2AI Score
0.001EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker w...
4.8CVSS
4.8AI Score
0.003EPSS
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: I18n). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastruct...
4.5CVSS
5.2AI Score
0.001EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacke...
5.3CVSS
5AI Score
0.003EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker wi...
5.9CVSS
5.7AI Score
0.002EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JGSS). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker w...
5.3CVSS
5AI Score
0.002EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker w...
8.3CVSS
6.8AI Score
0.003EPSS
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JGSS). Supported versions that are affected are Java SE: 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple pro...
6.8CVSS
6.2AI Score
0.002EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker wi...
7.4CVSS
6.2AI Score
0.002EPSS
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multip...
6.1CVSS
5.9AI Score
0.002EPSS
Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u171 and 7u161; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compr...
5.3CVSS
4.7AI Score
0.004EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacke...
4.3CVSS
4.3AI Score
0.003EPSS
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple...
4.3CVSS
4.4AI Score
0.003EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker wit...
4.3CVSS
4.3AI Score
0.003EPSS
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via mult...
3.1CVSS
3.9AI Score
0.002EPSS
Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java...
7.7CVSS
7.7AI Score
0.001EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker wi...
5.3CVSS
5AI Score
0.004EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with n...
5.3CVSS
5AI Score
0.004EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with ne...
5.3CVSS
5AI Score
0.004EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with ne...
5.3CVSS
5AI Score
0.004EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network ...
5.3CVSS
5AI Score
0.002EPSS
Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compro...
4.2CVSS
4.3AI Score
0.002EPSS
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are Java SE: 8u162 and 10. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Success...
7.7CVSS
7.5AI Score
0.001EPSS
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multi...
8.3CVSS
8.1AI Score
0.003EPSS
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attack...
5.3CVSS
4.9AI Score
0.003EPSS
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store ...
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.
5.6CVSS
6.3AI Score
0.001EPSS
Data Center Expert, versions 7.5.0 and earlier, allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allo...
8.8CVSS
8.5AI Score
0.001EPSS
A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)
9.8CVSS
9.6AI Score
0.007EPSS
A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when performed over the network. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)
9.8CVSS
9.8AI Score
0.004EPSS
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code executionon upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
8.8CVSS
8.7AI Score
0.001EPSS
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to devicecredentials on specific DCE endpoints not being properly secured when a hacker is using a lowprivileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
8.8CVSS
6.4AI Score
0.001EPSS
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatallows for remote code execution when using a parameter of the DCE network settingsendpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
9.8CVSS
9.7AI Score
0.003EPSS
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatallows remote code execution via the “hostname” parameter when maliciously crafted hostnamesyntax is entered. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
9.8CVSS
9.7AI Score
0.003EPSS
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-siteScripting') vulnerability exists on a DCE file upload endpoint when tampering with parametersover HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
6.1CVSS
6.3AI Score
0.0005EPSS
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorizedcontent, changes or deleting of content, or performing unauthorized functions when tamperingthe Device File Transfer settings on DCE endpoints. Affected products: StruxureWare Data Center Expert (V7.9.2 an...
8.1CVSS
8AI Score
0.001EPSS
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-siteScripting') vulnerability exists on a DCE endpoint through the logging capabilities of thewebserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
6.1CVSS
6.3AI Score
0.0005EPSS
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OSCommand Injection') vulnerability exists that allows a local privilege escalation on the appliancewhen a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center...
7.8CVSS
7.8AI Score
0.0004EPSS
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OSCommand Injection') vulnerability exists that could allow a user that knows the credentials toexecute unprivileged shell commands on the appliance over SSH. Affected products: StruxureWare Data Center Expert (V7.9.2 and...
8.1CVSS
8.1AI Score
0.001EPSS
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE toaccess unauthorized content, change, or delete content, or perform unauthorized actions whentampering with the aler...
8.8CVSS
8.6AI Score
0.001EPSS
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE toaccess unauthorized content, change, or delete content, or perform unauthorized actions whentampering with the mass...
8.8CVSS
8.6AI Score
0.001EPSS
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatcould cause remote code execution when an admin user on DCE uploads or tampers with installpackages.
7.2CVSS
7.5AI Score
0.001EPSS
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatcould cause remote code execution when an admin user on DCE tampers with backups whichare then manually restored.
7.2CVSS
7.5AI Score
0.001EPSS