Incorrect Default Permissions in Harmony and Vijeo Designer by Schneider Electric
CVE-2021-22817

7.8HIGH

Key Information:

Vendor: Schneider Electric
Status: Harmony/magelis Ipc Series (all Versions), Vijeo Designer (all Versions Prior To V6.2 Sp11 Multiple Hotfix 4), Vijeo Designer Basic (all Versions Prior To V1.2.1)
Vendor: CVE Published:; 9 February 2022

Summary

A vulnerability exists in Schneider Electric's Harmony and Vijeo Designer products due to incorrect default permissions. This misconfiguration can lead to unauthorized access to the base installation directory, potentially allowing an attacker to perform local privilege escalation. Affected products include all versions of Harmony/Magelis iPC Series and earlier versions of Vijeo Designer and Vijeo Designer Basic. Users are advised to review their system configurations and apply necessary updates to mitigate the risk.

Affected Version(s)

Harmony/Magelis iPC Series (All ), Vijeo Designer (All prior to V6.2 SP11 Multiple HotFix 4), Vijeo Designer Basic (All prior to V1.2.1) Harmony/Magelis iPC Series (All Versions), Vijeo Designer (All Versions prior to V6.2 SP11 Multiple HotFix 4), Vijeo Designer Basic (All Versions prior to V1.2.1)

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 9, 2022
Vulnerability Reserved
Jan 6, 2021