CVE-2023-27982 HIGH

CVE-2023-27982

Vendor Schneider Electric

Product IGSS Data Server(IGSSdataServer.exe)

Weakness CWE-345

Published March 21, 2023

Last update February 5, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code execution when a victim eventually opens a malicious dashboard file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).

Key dates

02Disclosure timeline

March 21, 2023 CVE published

February 5, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-27982 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/345.html

Related vulnerabilities

Identifiers

CVE CVE-2023-27982

CWE CWE-345

CVSS 8.8 / HIGH

Affected versions

Vendor Schneider Electric

Product IGSS Data Server(IGSSdataServer.exe)

Affected ≥ V and ≤ 16.0.0.23040

Vendor Schneider Electric

Product IGSS Dashboard (DashBoard.exe)

Affected ≥ V and ≤ 16.0.0.23040

Vendor Schneider Electric

Product Custom Reports (RMS16.dll)

Affected ≥ V and ≤ 16.0.0.23040

CVE-2023-27982

01Description

02Disclosure timeline

03References

04Related CVE