Description
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution when an authenticated attacker with admin privileges uploads a malicious file over HTTP which then gets executed.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2022 – Version 2022
- Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2023 – Version 2023
- Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2024 – Version 2024
- Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2024 R2 – Version 2024 R2
- Schneider Electric / EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards ModuleVersion 2022 w/ Advanced Reporting Module – Version 2022 w/ Advanced Reporting Module
- Schneider Electric / EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards ModuleVersion 2024 w/ Advanced Reporting Module – Version 2024 w/ Advanced Reporting Module