Description
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Schneider Electric / EcoStruxure™ Operator Terminal Expert3.3 SP1 and prior – 3.3 SP1 and prior
- Schneider Electric / Pro-face BLUE3.3 SP1 and prior – 3.3 SP1 and prior