13 matches found
CVE-2023-25549
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatallows for remote code execution when using a parameter of the DCE network settingsendpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVE-2023-25547
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code executionon upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVE-2023-25552
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorizedcontent, changes or deleting of content, or performing unauthorized functions when tamperingthe Device File Transfer settings on DCE endpoints. Affected products: StruxureWare Data Center Expert (V7.9.2 an...
CVE-2023-25548
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to devicecredentials on specific DCE endpoints not being properly secured when a hacker is using a lowprivileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVE-2023-25554
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OSCommand Injection') vulnerability exists that allows a local privilege escalation on the appliancewhen a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center...
CVE-2023-25555
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OSCommand Injection') vulnerability exists that could allow a user that knows the credentials toexecute unprivileged shell commands on the appliance over SSH. Affected products: StruxureWare Data Center Expert (V7.9.2 and...
CVE-2023-37196
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE toaccess unauthorized content, change, or delete content, or perform unauthorized actions whentampering with the aler...
CVE-2023-25550
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatallows remote code execution via the “hostname” parameter when maliciously crafted hostnamesyntax is entered. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVE-2023-25553
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-siteScripting') vulnerability exists on a DCE endpoint through the logging capabilities of thewebserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVE-2023-25551
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-siteScripting') vulnerability exists on a DCE file upload endpoint when tampering with parametersover HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
CVE-2023-37199
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatcould cause remote code execution when an admin user on DCE tampers with backups whichare then manually restored.
CVE-2023-37197
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE toaccess unauthorized content, change, or delete content, or perform unauthorized actions whentampering with the mass...
CVE-2023-37198
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists thatcould cause remote code execution when an admin user on DCE uploads or tampers with installpackages.