CVE-2022-41671 : A CWE-89: Improper Neutralization of Special Elements used in SQL Command (‘SQ

A CWE-89: Improper Neutralization of Special Elements used in SQL Command (‘SQL Injection’) vulnerability exists that allows adversaries with local user privileges to craft a malicious SQL query and execute as part of project migration which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).

Published 2022-11-04 15:15:10

Updated 2022-11-08 16:21:05

Source Schneider Electric SE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2022-41671

Schneider-electric » Ecostruxure Operator Terminal Expert
Versions before (<) 3.3
cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*
Matching versions
Schneider-electric » Ecostruxure Operator Terminal Expert » Version: 3.3
cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:-:*:*:*:*:*:*
Matching versions
Schneider-electric » Ecostruxure Operator Terminal Expert » Version: 3.3 Update Hotfix1
cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:hotfix1:*:*:*:*:*:*
Matching versions
Schneider-electric » Pro-face Blue
Versions before (<) 3.3
cpe:2.3:a:schneider-electric:pro-face_blue:*:*:*:*:*:*:*:*
Matching versions
Schneider-electric » Pro-face Blue » Version: 3.3
cpe:2.3:a:schneider-electric:pro-face_blue:3.3:-:*:*:*:*:*:*
Matching versions
Schneider-electric » Pro-face Blue » Version: 3.3 Update Hotfix1
cpe:2.3:a:schneider-electric:pro-face_blue:3.3:hotfix1:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-41671

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 14 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-41671

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.0	HIGH	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.0	5.9	Schneider Electric SE
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-41671

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: cybersecurity@se.com (Primary)

References for CVE-2022-41671

https://www.se.com/ww/en/download/document/SEVD-2022-284-01/

Security Notification - EcoStruxure Operator Terminal Expert and Pro-face BLUE Security and Safety Notice | Schneider Electric
Patch;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-41671

Products affected by CVE-2022-41671

Exploit prediction scoring system (EPSS) score for CVE-2022-41671

CVSS scores for CVE-2022-41671

CWE ids for CVE-2022-41671

References for CVE-2022-41671