SQL Injection Vulnerability in Schneider Electric's DCE
CVE-2023-37197

8.8HIGH

Key Information:

Vendor: Schneider Electric
Status: Struxureware Data Center Expert
Vendor: CVE Published:; 12 July 2023

Summary

An SQL Injection vulnerability exists in Schneider Electric's DCE that can be exploited by an authenticated user. This flaw enables the attacker to manipulate configuration settings, potentially allowing unauthorized access to sensitive content, alterations to existing data, or deletion of critical information. Users must be cautious as the manipulation of mass settings can lead to severe security breaches if left unaddressed.

Affected Version(s)

StruxureWare Data Center Expert v7.9.3 and earlier

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jun 28, 2023