Moxa EDS Ethernet Switches Uncontrolled Resource Consumption (CVE-2019-19707)

On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices with firmware through 6.0, denial of service can occur via PROFINET DCE-RPC endpoint discovery packets. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C...

CVE-2023-37199

A CWE-94: Improper Control of Generation of Code 'Code Injection' vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored...

Code injection

A CWE-94: Improper Control of Generation of Code 'Code Injection' vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored...

CVE-2023-37198

A CWE-94: Improper Control of Generation of Code 'Code Injection' vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages...

Sql injection

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command 'SQL Injection' vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the...

Sql injection

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command 'SQL Injection' vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the...

Code injection

A CWE-94: Improper Control of Generation of Code 'Code Injection' vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages...

CVE-2023-37199

CVE-2023-37199 concerns Schneider Electric StruxureWare Data Center Expert (DCE). Multiple connected sources identify a CWE-94 Code Injection vulnerability that could allow remote code execution when an administrator tampers with backups that are then restored. The vulnerability affects StruxureW...

CVE-2023-37199

A CWE-94: Improper Control of Generation of Code 'Code Injection' vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored...

CVE-2023-37198

Schneider Electric StruxureWare Data Center Expert (DCE) contains a CWE-94 code injection vulnerability that could allow remote code execution when an administrator uploads or tampers with installation packages. The issue affects StruxureWare Data Center Expert and related components (v7.9.3 and ...

CVE-2023-37198

A CWE-94: Improper Control of Generation of Code 'Code Injection' vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages...

CVE-2023-37197

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command 'SQL Injection' vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the...

CVE-2023-37197

CVE-2023-37197 describes an SQL Injection in Schneider Electric StruxureWare/Data Center Expert (DCE). The vulnerability arises from improper neutralization of special elements in SQL commands, allowing an authenticated DCE user to access, modify, or delete content or perform unauthorized actions...

CVE-2023-37197

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command 'SQL Injection' vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the...

CVE-2023-37196

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command 'SQL Injection' vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the...

CVE-2023-37196

Schneider Electric StruxureWare Data Center Expert (DCE) pre‑7.9.3 is affected by a CWE-89 SQL Injection due to improper neutralization of special elements. An authenticated DCE user could access, modify, or delete content and tamper with endpoint alert settings. The CVE notes high impact (C/H/I/...

CVE-2023-37196

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command 'SQL Injection' vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the...

CVE-2023-20892

The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit heap-overflow vulnerability to execute arbitrary code on the underlying operating...

CVE-2023-25549

A CWE-94: Improper Control of Generation of Code 'Code Injection' vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert V7.9.2 and prior...

CVE-2023-25552

A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. Affected products: StruxureWare Data Center Expert V7.9.2...