CVE-2023-27982

Summary

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code execution when a victim eventually opens a malicious dashboard file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).

Affected Software

VendorProductVersion RangeStatus
Schneider ElectricIGSS Data Server(IGSSdataServer.exe)V <= 16.0.0.23040affected
Schneider ElectricIGSS Dashboard (DashBoard.exe)V <= 16.0.0.23040affected
Schneider ElectricCustom Reports (RMS16.dll)V <= 16.0.0.23040affected

Weaknesses

  • CWE-345: CWE-345 Insufficient Verification of Data Authenticity

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References