CVE-2017-9970
HIGHSchneider-electric Struxureon Gateway - Unrestricted File Upload
Title source: ruleDescription
A remote code execution vulnerability exists in Schneider Electric's StruxureOn Gateway versions 1.1.3 and prior. Uploading a zip which contains carefully crafted metadata allows for the file to be uploaded to any directory on the host machine information which could lead to remote code execution.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103052
Mitigation, Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-18-046-04
Vendor Advisory x_refsource_confirm
https://www.schneider-electric.com/en/download/document/SEVD-2018-039-01/
Scores
CVSS v3
7.2
EPSS
0.0279
EPSS Percentile
86.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
schneider-electric/struxureon_gateway
< 1.1.3
Published
Feb 12, 2018
Tracked Since
Feb 18, 2026