Struxureware Data Center Expert Security Vulnerabilities - 2023
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code executionon upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
8.8CVSS
8.7AI Score
0.001EPSS
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to devicecredentials on specific DCE endpoints not being properly secured when a hacker is using a lowprivileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
8.8CVSS
6.4AI Score
0.001EPSS
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatallows for remote code execution when using a parameter of the DCE network settingsendpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
9.8CVSS
9.7AI Score
0.003EPSS
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatallows remote code execution via the “hostname” parameter when maliciously crafted hostnamesyntax is entered. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
9.8CVSS
9.7AI Score
0.003EPSS
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-siteScripting') vulnerability exists on a DCE file upload endpoint when tampering with parametersover HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
6.1CVSS
6.3AI Score
0.0005EPSS
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorizedcontent, changes or deleting of content, or performing unauthorized functions when tamperingthe Device File Transfer settings on DCE endpoints. Affected products: StruxureWare Data Center Expert (V7.9.2 an...
8.1CVSS
8AI Score
0.001EPSS
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-siteScripting') vulnerability exists on a DCE endpoint through the logging capabilities of thewebserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
6.1CVSS
6.3AI Score
0.0005EPSS
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OSCommand Injection') vulnerability exists that allows a local privilege escalation on the appliancewhen a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center...
7.8CVSS
7.8AI Score
0.0004EPSS
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OSCommand Injection') vulnerability exists that could allow a user that knows the credentials toexecute unprivileged shell commands on the appliance over SSH. Affected products: StruxureWare Data Center Expert (V7.9.2 and...
8.1CVSS
8.1AI Score
0.001EPSS
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE toaccess unauthorized content, change, or delete content, or perform unauthorized actions whentampering with the aler...
8.8CVSS
8.6AI Score
0.001EPSS
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE toaccess unauthorized content, change, or delete content, or perform unauthorized actions whentampering with the mass...
8.8CVSS
8.6AI Score
0.001EPSS
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatcould cause remote code execution when an admin user on DCE uploads or tampers with installpackages.
7.2CVSS
7.5AI Score
0.001EPSS
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatcould cause remote code execution when an admin user on DCE tampers with backups whichare then manually restored.
7.2CVSS
7.5AI Score
0.001EPSS