Improper Limitation of Pathname Vulnerability in Harmony HMI and Vijeo Designer by Schneider Electric
CVE-2021-22704

9.1CRITICAL

Key Information:

Vendor: Schneider Electric
Status: Harmony/hmi Products Configured By Vijeo Designer (all Versions Prior To V6.2 Sp11 ), Vijeo Designer Basic (all Versions Prior To V1.2), Or Ecostruxure Machine Expert (all Versions Prior To V2.0)
Vendor: CVE Published:; 2 September 2021

Summary

A vulnerability exists in Harmony/HMI Products configured by Vijeo Designer and EcoStruxure Machine Expert, allowing improper restriction of access to certain directories. This flaw can enable attackers to exploit the system over FTP, potentially leading to unauthorized access to sensitive system information or a Denial of Service. Users are encouraged to upgrade to the latest versions of the affected software to mitigate these risks.

Affected Version(s)

Harmony/HMI Products Configured by Vijeo Designer (all prior to V6.2 SP11 ), Vijeo Designer Basic (all prior to V1.2), or EcoStruxure Machine Expert (all prior to V2.0) Harmony/HMI Products Configured by Vijeo Designer (all versions prior to V6.2 SP11 ), Vijeo Designer Basic (all versions prior to V1.2), or EcoStruxure Machine Expert (all versions prior to V2.0)

References

http://download.schneider-electric.com/files?p_Doc_Ref=SE...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 2, 2021
Vulnerability Reserved
Jan 6, 2021