CVE-2018-7235

HIGH

Schneider Electric Pelco Sarix Professional < 3.29.67 - Arbitrary System File Download via system.download.sd_file

Title source: llm
STIX 2.1

Description

A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow arbitrary system file download due to lack of validation of the shell meta characters with the value of 'system.download.sd_file'

References (1)

Core 1
Core References

Scores

CVSS v3 7.5
EPSS 0.0029
EPSS Percentile 52.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-20
Status published
Products (20)
schneider-electric/ibp1110-1er_firmware < 3.29.67
schneider-electric/ibp219-1er_firmware < 3.29.67
schneider-electric/ibp319-1er_firmware < 3.29.67
schneider-electric/ibp519-1er_firmware < 3.29.67
schneider-electric/ibps110-1er_firmware < 3.29.67
schneider-electric/imp1110-1_firmware < 3.29.67
schneider-electric/imp1110-1e_firmware < 3.29.67
schneider-electric/imp1110-1er_firmware < 3.29.67
schneider-electric/imp219-1_firmware < 3.29.67
schneider-electric/imp219-1e_firmware < 3.29.67
... and 10 more
Published Mar 09, 2018
Tracked Since Feb 18, 2026