SQL Injection Vulnerability in DCE by Schneider Electric
CVE-2023-37196

8.8HIGH

Key Information:

Vendor: Schneider Electric
Status: Struxureware Data Center Expert
Vendor: CVE Published:; 12 July 2023

Summary

A vulnerability exists within Schneider Electric's DCE (Data Center Expert) that is characterized as an improper neutralization of special elements in an SQL command, commonly known as SQL injection. This flaw permits authenticated users to access unauthorized content, modify or delete data, and execute actions beyond their intended privileges when manipulating alert settings for endpoints in DCE.

Affected Version(s)

StruxureWare Data Center Expert v7.9.3 and earlier

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jun 28, 2023