VDB

CVE-2022-41671

CVE-2022-41671 PUBLISHED CVSS 7 HIGH

A CWE-89: Improper Neutralization of Special Elements used in SQL Command (‘SQL Injection’) vulnerability exists that allows adversaries with local user privileges to craft a malicious SQL query and execute as part of project migration which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).

EPSS 0.21% · 43.3th percentile

Risk Scores

CVSS 3.1
7
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.21%
43.3th percentile

Affected Products

VendorProductVersions
schneider-electricpro-face_blue3.3, 3.3, 0
Schneider ElectricEcoStruxure Operator Terminal ExpertV3.3
Schneider ElectricPro-face BLUEV3.3
schneider-electricecostruxure_operator_terminal_expert3.3, 3.3, 0

Exploit Intelligence

Timeline

  • Nov 4, 2022 CVE Published
  • Nov 5, 2022 EPSS Score
  • Nov 9, 2022 EPSS Score
  • Dec 18, 2022 EPSS Score
  • Jan 30, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Mar 15, 2023 EPSS Score
  • Apr 27, 2023 EPSS Score
  • Jun 9, 2023 EPSS Score
  • Sep 3, 2023 EPSS Score
  • Oct 16, 2023 EPSS Score
  • Nov 29, 2023 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›