VAR-202303-1424
Vulnerability from variot - Updated: 2023-12-18 11:54A CWE-20: Improper Input Validation vulnerability exists in Custom Reports that could cause a macro to be executed, potentially leading to remote code execution when a user opens a malicious report file planted by an attacker. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). Schneider Electric of custom reports , IGSS Dashboard (DashBoard.exe) , igss data server There is an input validation vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the openReport function. The issue results from the lack of proper input validation. An attacker can leverage this vulnerability to execute code in the context of the current user. Schneider Electric IGSS Data Server is a data server of an interactive graphic Scada system of French Schneider Electric (Schneider Electric)
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202303-1424",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "igss data server",
"scope": "lte",
"trust": 1.0,
"vendor": "schneider electric",
"version": "16.0.0.23040"
},
{
"model": "igss dashboard",
"scope": "lte",
"trust": 1.0,
"vendor": "schneider electric",
"version": "16.0.0.23040"
},
{
"model": "custom reports",
"scope": "lte",
"trust": 1.0,
"vendor": "schneider electric",
"version": "16.0.0.23040"
},
{
"model": "igss dashboard",
"scope": null,
"trust": 0.8,
"vendor": "schneider electric",
"version": null
},
{
"model": "custom reports",
"scope": null,
"trust": 0.8,
"vendor": "schneider electric",
"version": null
},
{
"model": "igss data server",
"scope": null,
"trust": 0.8,
"vendor": "schneider electric",
"version": null
},
{
"model": "igss",
"scope": null,
"trust": 0.7,
"vendor": "schneider electric",
"version": null
},
{
"model": "electric igss data server",
"scope": "lte",
"trust": 0.6,
"vendor": "schneider",
"version": "\u003c=v16.0.0.23040"
},
{
"model": "electric igss dashboard",
"scope": "lte",
"trust": 0.6,
"vendor": "schneider",
"version": "\u003c=v16.0.0.23040"
},
{
"model": "electric custom reports",
"scope": "lte",
"trust": 0.6,
"vendor": "schneider",
"version": "\u003c=v16.0.0.23040"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-23-341"
},
{
"db": "CNVD",
"id": "CNVD-2023-29376"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-005630"
},
{
"db": "NVD",
"id": "CVE-2023-27984"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:schneider-electric:custom_reports:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "16.0.0.23040",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneider-electric:igss_dashboard:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "16.0.0.23040",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneider-electric:igss_data_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "16.0.0.23040",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-27984"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "kimiya",
"sources": [
{
"db": "ZDI",
"id": "ZDI-23-341"
}
],
"trust": 0.7
},
"cve": "CVE-2023-27984",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2023-29376",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "cybersecurity@se.com",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2023-27984",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2023-27984",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "REQUIRED",
"vectorString": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-27984",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "cybersecurity@se.com",
"id": "CVE-2023-27984",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "CVE-2023-27984",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2023-29376",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202303-1568",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-23-341"
},
{
"db": "CNVD",
"id": "CNVD-2023-29376"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-005630"
},
{
"db": "NVD",
"id": "CVE-2023-27984"
},
{
"db": "NVD",
"id": "CVE-2023-27984"
},
{
"db": "CNNVD",
"id": "CNNVD-202303-1568"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A CWE-20: Improper Input Validation vulnerability exists in Custom Reports that could cause a macro to be executed, potentially leading to remote code execution when a user opens a malicious report file planted by an attacker. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). Schneider Electric of custom reports , IGSS Dashboard (DashBoard.exe) , igss data server There is an input validation vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the openReport function. The issue results from the lack of proper input validation. An attacker can leverage this vulnerability to execute code in the context of the current user. Schneider Electric IGSS Data Server is a data server of an interactive graphic Scada system of French Schneider Electric (Schneider Electric)",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-27984"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-005630"
},
{
"db": "ZDI",
"id": "ZDI-23-341"
},
{
"db": "CNVD",
"id": "CNVD-2023-29376"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-27984",
"trust": 4.5
},
{
"db": "SCHNEIDER",
"id": "SEVD-2023-073-04",
"trust": 3.0
},
{
"db": "ICS CERT",
"id": "ICSA-23-082-04",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU94559502",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2023-005630",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-19420",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-23-341",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2023-29376",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1792",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202303-1568",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-23-341"
},
{
"db": "CNVD",
"id": "CNVD-2023-29376"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-005630"
},
{
"db": "NVD",
"id": "CVE-2023-27984"
},
{
"db": "CNNVD",
"id": "CNNVD-202303-1568"
}
]
},
"id": "VAR-202303-1424",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29376"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29376"
}
]
},
"last_update_date": "2023-12-18T11:54:51.731000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Schneider Electric has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://download.schneider-electric.com/files?p_doc_ref=sevd-2023-073-04\u0026p_endoctype=security+and+safety+notice\u0026p_file_name=sevd-2023-073-04.pdf"
},
{
"title": "Patch for Schneider Electric IGSS Data Server Input Validation Error Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/419161"
},
{
"title": "Schneider Electric IGSS Data Server Enter the fix for the verification error vulnerability",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=230407"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-23-341"
},
{
"db": "CNVD",
"id": "CNVD-2023-29376"
},
{
"db": "CNNVD",
"id": "CNNVD-202303-1568"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.0
},
{
"problemtype": "Inappropriate input confirmation (CWE-20) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-005630"
},
{
"db": "NVD",
"id": "CVE-2023-27984"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.7,
"url": "https://download.schneider-electric.com/files?p_doc_ref=sevd-2023-073-04\u0026p_endoctype=security+and+safety+notice\u0026p_file_name=sevd-2023-073-04.pdf"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu94559502/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-27984"
},
{
"trust": 0.8,
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-04"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2023-27984/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1792"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-23-341"
},
{
"db": "CNVD",
"id": "CNVD-2023-29376"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-005630"
},
{
"db": "NVD",
"id": "CVE-2023-27984"
},
{
"db": "CNNVD",
"id": "CNNVD-202303-1568"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-23-341"
},
{
"db": "CNVD",
"id": "CNVD-2023-29376"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-005630"
},
{
"db": "NVD",
"id": "CVE-2023-27984"
},
{
"db": "CNNVD",
"id": "CNNVD-202303-1568"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-03-16T00:00:00",
"db": "ZDI",
"id": "ZDI-23-341"
},
{
"date": "2023-04-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2023-29376"
},
{
"date": "2023-11-09T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-005630"
},
{
"date": "2023-03-21T11:15:10.553000",
"db": "NVD",
"id": "CVE-2023-27984"
},
{
"date": "2023-03-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202303-1568"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-03-16T00:00:00",
"db": "ZDI",
"id": "ZDI-23-341"
},
{
"date": "2023-04-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2023-29376"
},
{
"date": "2023-11-09T03:11:00",
"db": "JVNDB",
"id": "JVNDB-2023-005630"
},
{
"date": "2023-03-24T16:41:08.100000",
"db": "NVD",
"id": "CVE-2023-27984"
},
{
"date": "2023-03-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202303-1568"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202303-1568"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Schneider Electric IGSS Data Server Input Validation Error Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29376"
},
{
"db": "CNNVD",
"id": "CNNVD-202303-1568"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202303-1568"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…