The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2020-7533 | A CWE-255: Credentials Management vulnerability exists in Web Server on Modicon M340, Modicon Quantum and ModiconPremium Legacy offers and their Communication Modules (see security notification for version information) which could cause the execution of commands on the webserver without authentication when sending specially crafted HTTP requests. | HIGH | Dec 1, 2020 |
CVE-2020-7532 | A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack x70 Security Administrator (V1.2.0 and prior) which could allow arbitrary code execution when an attacker builds a custom .SDB file containing a malicious serialized buffer. | MEDIUM | Sep 16, 2020 |
CVE-2020-7531 | A CWE-284 Improper Access Control vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows an attacker to place executables in a specific folder and run code whenever RemoteConnect is executed by the user. | MEDIUM | Sep 16, 2020 |
CVE-2020-7530 | A CWE-285 Improper Authorization vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows improper access to executable code folders. | MEDIUM | Sep 16, 2020 |
CVE-2020-7529 | A CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\'Path Transversal\') vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows an attacker to place content in any unprotected folder on the target system using a crafted .RCZ file. | MEDIUM | Sep 16, 2020 |
CVE-2020-7528 | A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which could allow arbitrary code execution when an attacker builds a custom .PRJ file containing a malicious serialized buffer. | MEDIUM | Sep 16, 2020 |
CVE-2020-7527 | Incorrect Default Permission vulnerability exists in SoMove (V2.8.1) and prior which could cause elevation of privilege and provide full access control to local system users to SoMove component and services when a SoMove installer script is launched. | MEDIUM | Sep 4, 2020 |
CVE-2020-7526 | Improper Input Validation vulnerability exists in PowerChute Business Edition (software V9.0.x and earlier) which could cause remote code execution when a script is executed during a shutdown event. | MEDIUM | Sep 4, 2020 |
CVE-2020-7525 | Improper Restriction of Excessive Authentication Attempts vulnerability exists in all hardware versions of spaceLYnk and Wiser for KNX (formerly homeLYnk) which could allow an attacker to guess a password when brute force is used. | MEDIUM | Sep 4, 2020 |
CVE-2020-7524 | Out-of-bounds Write vulnerability exists in Modicon M218 Logic Controller (V5.0.0.7 and prior) which could cause Denial of Service when sending specific crafted IPV4 packet to the controller: Sending a specific IPv4 protocol package to Schneider Electric Modicon M218 Logic Controller can cause IPv4 devices to go down. The device does not work properly and must be powered back on to return to normal. | MEDIUM | Aug 31, 2020 |
CVE-2020-7523 | Improper Privilege Management vulnerability exists in Schneider Electric Modbus Serial Driver (see security notification for versions) which could cause local privilege escalation when the Modbus Serial Driver service is invoked. The driver does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. | MEDIUM | Sep 4, 2020 |
CVE-2020-7522 | Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists in SFAPV9601 - APC Easy UPS On-Line Software (V2.0 and earlier) when accessing a vulnerable method of `SoundUploadServlet` which may lead to uploading executable files to non-specified directories. | HIGH | Sep 4, 2020 |
CVE-2020-7521 | Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists in SFAPV9601 - APC Easy UPS On-Line Software (V2.0 and earlier) when accessing a vulnerable method of `FileUploadServlet` which may lead to uploading executable files to non-specified directories. | HIGH | Sep 4, 2020 |
CVE-2020-7520 | A CWE-601: URL Redirection to Untrusted Site (\'Open Redirect\') vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\'s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\'s possession. A man-in-the-middle attack is then used to complete the exploit. | MEDIUM | Jul 23, 2020 |
CVE-2020-7519 | A CWE-521: Weak Password Requirements vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker to compromise a user account. | MEDIUM | Jul 27, 2020 |
CVE-2020-7518 | A CWE-20: Improper input validation vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker to modify project configuration files. | MEDIUM | Jul 27, 2020 |
CVE-2020-7517 | A CWE-312: Cleartext Storage of Sensitive Information vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker to read user credentials. | LOW | Jul 27, 2020 |
CVE-2020-7516 | A CWE-316: Cleartext Storage of Sensitive Information in Memory vulnerability exists in Easergy Builder V1.4.7.2 and prior which could allow an attacker access to login credentials. | LOW | Jul 27, 2020 |
CVE-2020-7515 | A CWE-321: Use of hard-coded cryptographic key stored in cleartext vulnerability exists in Easergy Builder V1.4.7.2 and prior which could allow an attacker to decrypt a password. | LOW | Jul 27, 2020 |
CVE-2020-7514 | A CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker access to the authorization credentials for a device and gain full access. | MEDIUM | Jul 27, 2020 |
CVE-2020-7513 | A CWE-312: Cleartext Storage of Sensitive Information vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to intercept traffic and read configuration data. | MEDIUM | Jun 17, 2020 |
CVE-2020-7512 | A CWE-1103: Use of Platform-Dependent Third Party Components with vulnerabilities vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to exploit the component. | HIGH | Jun 19, 2020 |
CVE-2020-7511 | A CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to acquire a password by brute force. | MEDIUM | Jun 17, 2020 |
CVE-2020-7510 | A CWE-200: Information Exposure vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow attacker to obtain private keys. | MEDIUM | Jun 17, 2020 |
CVE-2020-7509 | A CWE-269: Improper privilege management (write) vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to elevate their privileges and delete files. | MEDIUM | Jun 17, 2020 |
CVE-2020-7508 | A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to gain full access by brute force. | MEDIUM | Jun 17, 2020 |
CVE-2020-7507 | A CWE-400: Uncontrolled Resource Consumption vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to login multiple times resulting in a denial of service. | MEDIUM | Jun 17, 2020 |
CVE-2020-7506 | A CWE-200: Information Exposure vulnerability exists in Easergy T300, Firmware V1.5.2 and prior, which could allow an attacker to pack or unpack the archive with the firmware for the controller and modules using the usual tar archiver resulting in an information exposure. | MEDIUM | Jun 17, 2020 |
CVE-2020-7505 | A CWE-494 Download of Code Without Integrity Check vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to inject data with dangerous content into the firmware and execute arbitrary code on the system. | HIGH | Jun 17, 2020 |
CVE-2020-7504 | A CWE-20: Improper Input Validation vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to disable the webserver service on the device when specially crafted network packets are sent. | MEDIUM | Jun 17, 2020 |
CVE-2020-7503 | A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to execute malicious commands on behalf of a legitimate user when xsrf-token data is intercepted. | MEDIUM | Jun 17, 2020 |
CVE-2020-7502 | A CWE-787: Out-of-bounds Write vulnerability exists in Modicon M218 Logic Controller (Firmware version 4.3 and prior), which may cause a Denial of Service when specific TCP/IP crafted packets are sent to the Modicon M218 Logic Controller. | MEDIUM | Jun 16, 2020 |
CVE-2020-7501 | A CWE-798: Use of Hard-coded Credentials vulnerability exists in Vijeo Designer Basic (V1.1 HotFix 16 and prior) and Vijeo Designer (V6.2 SP9 and prior) which could cause unauthorized read and write when downloading and uploading project or firmware into Vijeo Designer Basic and Vijeo Designer. | MEDIUM | Jun 16, 2020 |
CVE-2020-7500 | A CWE-89:Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause arbitrary code to be executed when a malicious command is entered. | HIGH | Jun 16, 2020 |
CVE-2020-7499 | A CWE-863: Incorrect Authorization vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause unauthorized access when a low privileged user makes unauthorized changes. | MEDIUM | Jun 16, 2020 |
CVE-2020-7498 | A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results. | HIGH | Jun 16, 2020 |
CVE-2020-7497 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause arbitrary application execution when the computer starts. | HIGH | Jun 19, 2020 |
CVE-2020-7496 | A CWE-88: Argument Injection or Modification vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause unauthorized write access when opening the project file. | MEDIUM | Jun 18, 2020 |
CVE-2020-7495 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability during zip file extraction exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause unauthorized write access outside of expected path folder when opening the project file. | MEDIUM | Jun 19, 2020 |
CVE-2020-7494 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file. | MEDIUM | Jun 19, 2020 |
CVE-2020-7493 | A CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file. | MEDIUM | Jun 17, 2020 |
CVE-2020-7492 | A CWE-521: Weak Password Requirements vulnerability exists in the GP-Pro EX V1.00 to V4.09.100 which could cause the discovery of the password when the user is entering the password because it is not masqueraded. | MEDIUM | Jun 16, 2020 |
CVE-2020-7491 | **VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy debug port account in TCMs installed in Tricon system versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access. This vulnerability was remediated in TCM version 10.5.4. | MEDIUM | Jul 23, 2020 |
CVE-2020-7490 | A CWE-426: Untrusted Search Path vulnerability exists in Vijeo Designer Basic (V1.1 HotFix 15 and prior) and Vijeo Designer (V6.9 SP9 and prior), which could cause arbitrary code execution on the system running Vijeo Basic when a malicious DLL library is loaded by the Product. | MEDIUM | Apr 22, 2020 |
CVE-2020-7489 | A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\'Injection\') vulnerability exists on EcoStruxure Machine Expert – Basic or SoMachine Basic programming software (versions in security notification). The result of this vulnerability, DLL substitution, could allow the transference of malicious code to the controller. | HIGH | Apr 22, 2020 |
CVE-2020-7488 | A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists which could leak sensitive information transmitted between the software and the Modicon M218, M241, M251, and M258 controllers. | MEDIUM | Apr 22, 2020 |
CVE-2020-7487 | A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists which could allow the attacker to execute malicious code on the Modicon M218, M241, M251, and M258 controllers. | HIGH | Apr 22, 2020 |
CVE-2020-7486 | **VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause TCM modules to reset when under high network load in TCM v10.4.x and in system v10.3.x. This vulnerability was discovered and remediated in version v10.5.x on August 13, 2009. TCMs from v10.5.x and on will no longer exhibit this behavior. | MEDIUM | Apr 16, 2020 |
CVE-2020-7485 | **VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy support account in the TriStation software version v4.9.0 and earlier could cause improper access to the TriStation host machine. This was addressed in TriStation version v4.9.1 and v4.10.1 released on May 30, 2013.1 | HIGH | Apr 16, 2020 |
CVE-2020-7484 | **VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability with the former \'password\' feature could allow a denial of service attack if the user is not following documented guidelines pertaining to dedicated TriStation connection and key-switch protection. This vulnerability was discovered and remediated in versions v4.9.1 and v4.10.1 on May 30, 2013. This feature is not present in version v4.9.1 and v4.10.1 through current. Therefore, the vulnerability is not present in these versions. | MEDIUM | Apr 16, 2020 |