A CWE-284:Improper Access Control vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow for arbitrary code execution on the server when an authorized user access an affected webpage.
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ecostruxure_energy_expert | Schneider-electric | 2.0 (including) | 2.0 (including) |
| Ecostruxure_power_monitoring_expert | Schneider-electric | 7.0 (including) | 7.0 (including) |
| Ecostruxure_power_monitoring_expert | Schneider-electric | 8.0 (including) | 8.0 (including) |
| Ecostruxure_power_monitoring_expert | Schneider-electric | 9.0 (including) | 9.0 (including) |
| Power_manager | Schneider-electric | 1.1 (including) | 1.1 (including) |
| Power_manager | Schneider-electric | 1.2 (including) | 1.2 (including) |
| Power_manager | Schneider-electric | 1.3 (including) | 1.3 (including) |
| Powerscada_expert_with_advanced_reporting_and_dashboards | Schneider-electric | 8.0 (including) | 8.0 (including) |
| Powerscada_operation_with_advanced_reporting_and_dashboards | Schneider-electric | 9.0 (including) | 9.0 (including) |
Access control involves the use of several protection mechanisms such as:
When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: