CVE-2023-1049

Summary

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI.

Affected Software

VendorProductVersion RangeStatus
Schneider ElectricEcoStruxure™ Operator Terminal Expert3.3 SP1 and prioraffected
Schneider ElectricPro-face BLUE3.3 SP1 and prioraffected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References