Code Injection Vulnerability in DCE by Schneider Electric
CVE-2023-37198

6.8MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Struxureware Data Center Expert
Vendor: CVE Published:; 12 July 2023

Summary

A vulnerability exists in Schneider Electric's DCE that allows an admin user to upload or manipulate install packages, leading to a risk of remote code execution. The flaw is categorized as a code injection issue, which could be exploited by an attacker to execute arbitrary code within the application. This vulnerability places a significant risk on systems utilizing vulnerable versions of the product, highlighting the need for immediate mitigation and patching.

Affected Version(s)

StruxureWare Data Center Expert v7.9.3 and earlier

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jun 28, 2023