CVE-2018-7245 (GCVE-0-2018-7245)

Vulnerability from cvelistv5 – Published: 2018-04-18 20:00 – Updated: 2024-08-05 06:24
VLAI?
Summary
An improper authorization vulnerability exists In Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. The integrated web server (Port 80/443/TCP) of the affected devices could allow a remote attacker to change UPS control and shutdown parameters or other critical settings without authorization.
Severity ?
No CVSS data available.
CWE
  • Improper Authorization
Assigner
References
Impacted products
Vendor Product Version
Schneider Electric SE 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS Affected: MGE Network Management Card Transverse, part number: SF66074. All card versions affected, when installed in following products: MGE Galaxy 5000, MGE Galaxy 6000, MGE Galaxy 9000, MGE EPS 7000, MGE EPS 8000, MGE EPS 6000, MGE Comet UPS, MGE Galaxy PW, MGE Galaxy 3000, MGE Galaxy 4000
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:24:11.357Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-074-01/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS",
          "vendor": "Schneider Electric SE",
          "versions": [
            {
              "status": "affected",
              "version": "MGE Network Management Card Transverse, part number: SF66074. All card versions affected, when installed in following products: MGE Galaxy 5000, MGE Galaxy 6000, MGE Galaxy 9000, MGE EPS 7000, MGE EPS 8000, MGE EPS 6000, MGE Comet UPS, MGE Galaxy PW, MGE Galaxy 3000, MGE Galaxy 4000"
            }
          ]
        }
      ],
      "datePublic": "2018-03-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An improper authorization vulnerability exists In Schneider Electric\u0027s 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. The integrated web server (Port 80/443/TCP) of the affected devices could allow a remote attacker to change UPS control and shutdown parameters or other critical settings without authorization."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper Authorization",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-04-18T19:57:01",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-074-01/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "ID": "CVE-2018-7245",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "MGE Network Management Card Transverse, part number: SF66074. All card versions affected, when installed in following products: MGE Galaxy 5000, MGE Galaxy 6000, MGE Galaxy 9000, MGE EPS 7000, MGE EPS 8000, MGE EPS 6000, MGE Comet UPS, MGE Galaxy PW, MGE Galaxy 3000, MGE Galaxy 4000"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Schneider Electric SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An improper authorization vulnerability exists In Schneider Electric\u0027s 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. The integrated web server (Port 80/443/TCP) of the affected devices could allow a remote attacker to change UPS control and shutdown parameters or other critical settings without authorization."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-074-01/",
              "refsource": "CONFIRM",
              "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-074-01/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2018-7245",
    "datePublished": "2018-04-18T20:00:00",
    "dateReserved": "2018-02-19T00:00:00",
    "dateUpdated": "2024-08-05T06:24:11.357Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-7245\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2018-04-18T20:29:00.513\",\"lastModified\":\"2024-11-21T04:11:52.157\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An improper authorization vulnerability exists In Schneider Electric\u0027s 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. The integrated web server (Port 80/443/TCP) of the affected devices could allow a remote attacker to change UPS control and shutdown parameters or other critical settings without authorization.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de autorizaci\u00f3n incorrecta en 66074 MGE Network Management Card Transverse, de Schneider Electric, instalados en MGE UPS y MGE STS. El servidor web integrado (Port 80/443/TCP) de los dispositivos afectados podr\u00eda permitir que un atacante remoto cambie los par\u00e1metros UPS de control y cierre u otras opciones cr\u00edticas sin autorizaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:P\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:schneider-electric:66074_mge_network_management_card_transverse:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7DBB8697-64F8-4D15-8B14-CDD51E99FBCF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:mge_comet_ups:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9837318-C9B6-448E-B701-40929C96795A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:mge_eps_6000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"98078458-B5AB-4AD2-9E57-390591469F37\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:mge_eps_7000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"05DE2424-0969-491D-A414-81A648F2F801\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:mge_eps_8000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60DC5EF0-1929-4D67-89BF-47D6F6848411\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:mge_galaxy_3000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"955C94DD-90E6-4AB1-87CC-4EDACEA47DF0\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:mge_galaxy_4000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7FCAE877-B3E9-4970-B0EE-49C64C85715C\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:mge_galaxy_5000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EBFA4F2-6574-4D58-9B0C-317229DF503E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:mge_galaxy_6000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"790BF7D0-4E2D-4607-8C47-C4B707538E66\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:mge_galaxy_9000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"54A1FC87-5319-4F69-9228-C664D505B1CC\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:mge_galaxy_pw:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59D9633E-051F-427A-BADA-61BC8501AAE9\"}]}]}],\"references\":[{\"url\":\"https://www.schneider-electric.com/en/download/document/SEVD-2018-074-01/\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://www.schneider-electric.com/en/download/document/SEVD-2018-074-01/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.