CVE-2024-37038

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-37038
CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf Patch Vendor Advisory
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf Patch Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:schneider-electric:sage_rtu_firmware:*:*:*:*:*:*:*:*
OR cpe:2.3:h:schneider-electric:sage_1410:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:sage_1430:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:sage_1450:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:sage_2400:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:sage_3030_magnum:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:sage_4400:-:*:*:*:*:*:*:*
History

21 Nov 2024, 09:23

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : 7.5
References () https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf - Patch, Vendor Advisory () https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf - Patch, Vendor Advisory

25 Jul 2024, 20:25

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5 		v2 : unknown
v3 : 8.8
CPE cpe:2.3:h:schneider-electric:sage_1450:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:sage_3030_magnum:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:sage_2400:-:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:sage_rtu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:sage_4400:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:sage_1430:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:sage_1410:-:*:*:*:*:*:*:*
First Time Schneider-electric
Schneider-electric sage 4400
Schneider-electric sage 1410
Schneider-electric sage 2400
Schneider-electric sage 3030 Magnum
Schneider-electric sage 1450
Schneider-electric sage Rtu Firmware
Schneider-electric sage 1430
References () https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf - () https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf - Patch, Vendor Advisory

13 Jun 2024, 18:36

Type Values Removed Values Added
Summary
  • (es) CWE-276: Existe una vulnerabilidad de permisos predeterminados incorrectos que podría permitir que un usuario autenticado con acceso a la interfaz web del dispositivo realice cargas de archivos y firmware no autorizadas al crear solicitudes web personalizadas.

12 Jun 2024, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-12 17:15

Updated : 2024-11-21 09:23

NVD link : CVE-2024-37038

Mitre link : CVE-2024-37038

CVE.ORG link : CVE-2024-37038

JSON object : View

Products Affected

schneider-electric

  • sage_rtu_firmware
  • sage_1430
  • sage_1410
  • sage_2400
  • sage_3030_magnum
  • sage_4400
  • sage_1450
CWE
CWE-276

Incorrect Default Permissions