Sign-up

ID

VAR-202202-0288


CVE

CVE-2022-22807


TITLE

plural  Schneider Electric  Inappropriate limiting of rendered user interface layers or frames in the product vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-005149

DESCRIPTION

A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13). Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote malicious user to write files or disclose sensitive information on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-filewrite-bsFVwueV

Trust: 1.8

sources: NVD: CVE-2022-22807 // JVNDB: JVNDB-2022-005149 // VULHUB: VHN-411532 // VULMON: CVE-2022-22807

AFFECTED PRODUCTS

vendor:schneider electricmodel:hmibscea53d1esmscope:ltversion:4.0.0.13

Trust: 1.0

vendor:schneider electricmodel:hmibscea53d1edbscope:ltversion:4.0.0.13

Trust: 1.0

vendor:schneider electricmodel:hmibscea53d1essscope:ltversion:4.0.0.13

Trust: 1.0

vendor:schneider electricmodel:hmibscea53d1edmscope:ltversion:4.0.0.13

Trust: 1.0

vendor:schneider electricmodel:hmibscea53d1edsscope:ltversion:4.0.0.13

Trust: 1.0

vendor:schneider electricmodel:hmibscea53d1edlscope:ltversion:4.0.0.13

Trust: 1.0

vendor:schneider electricmodel:hmibscea53d1emlscope:ltversion:4.0.0.13

Trust: 1.0

vendor:schneider electricmodel:hmibscea53d1emlscope: - version: -

Trust: 0.8

vendor:schneider electricmodel:hmibscea53d1edsscope: - version: -

Trust: 0.8

vendor:schneider electricmodel:hmibscea53d1edlscope: - version: -

Trust: 0.8

vendor:schneider electricmodel:hmibscea53d1edmscope: - version: -

Trust: 0.8

vendor:schneider electricmodel:hmibscea53d1esmscope: - version: -

Trust: 0.8

vendor:schneider electricmodel:hmibscea53d1edbscope: - version: -

Trust: 0.8

vendor:schneider electricmodel:hmibscea53d1essscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-005149 // NVD: CVE-2022-22807

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-22807
value: HIGH

Trust: 1.0

NVD: CVE-2022-22807
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202202-896
value: HIGH

Trust: 0.6

VULHUB: VHN-411532
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-22807
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-22807
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-411532
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-22807
baseSeverity: HIGH
baseScore: 7.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 4.0
version: 3.1

Trust: 1.0

NVD: CVE-2022-22807
baseSeverity: HIGH
baseScore: 7.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-411532 // VULMON: CVE-2022-22807 // JVNDB: JVNDB-2022-005149 // CNNVD: CNNVD-202202-896 // NVD: CVE-2022-22807

PROBLEMTYPE DATA

problemtype:CWE-1021

Trust: 1.0

problemtype:Improper restrictions on rendered user interface layers or frames (CWE-1021) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-005149 // NVD: CVE-2022-22807

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-896

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202202-896

PATCH

title:SEVD-2022-039-02url:https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-02

Trust: 0.8

title:EcoStruxure EV Charging Expert Fixes for other vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=182500

Trust: 0.6

title:Cisco: Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-expressway-filewrite-bsFVwueV

Trust: 0.1

title: - url:https://github.com/Live-Hack-CVE/CVE-2022-22807

Trust: 0.1

title: - url:https://github.com/VulnTotal-Team/vehicle_cves

Trust: 0.1

sources: VULMON: CVE-2022-22807 // JVNDB: JVNDB-2022-005149 // CNNVD: CNNVD-202202-896

EXTERNAL IDS

db:NVDid:CVE-2022-22807

Trust: 3.4

db:SCHNEIDERid:SEVD-2022-039-02

Trust: 1.8

db:JVNDBid:JVNDB-2022-005149

Trust: 0.8

db:CNNVDid:CNNVD-202202-896

Trust: 0.6

db:VULHUBid:VHN-411532

Trust: 0.1

db:VULMONid:CVE-2022-22807

Trust: 0.1

sources: VULHUB: VHN-411532 // VULMON: CVE-2022-22807 // JVNDB: JVNDB-2022-005149 // CNNVD: CNNVD-202202-896 // NVD: CVE-2022-22807

REFERENCES

url:https://download.schneider-electric.com/files?p_doc_ref=sevd-2022-039-02

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-22807

Trust: 1.4

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-expressway-filewrite-bsfvwuev

Trust: 0.7

url:https://cwe.mitre.org/data/definitions/1021.html

Trust: 0.1

url:https://github.com/live-hack-cve/cve-2022-22807

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-411532 // VULMON: CVE-2022-22807 // JVNDB: JVNDB-2022-005149 // CNNVD: CNNVD-202202-896 // NVD: CVE-2022-22807

SOURCES

db:VULHUBid:VHN-411532
db:VULMONid:CVE-2022-22807
db:JVNDBid:JVNDB-2022-005149
db:CNNVDid:CNNVD-202202-896
db:NVDid:CVE-2022-22807

LAST UPDATE DATE

2024-11-23T22:15:57.075000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-411532date:2023-02-22T00:00:00
db:VULMONid:CVE-2022-22807date:2023-02-22T00:00:00
db:JVNDBid:JVNDB-2022-005149date:2023-05-19T06:52:00
db:CNNVDid:CNNVD-202202-896date:2022-05-19T00:00:00
db:NVDid:CVE-2022-22807date:2024-11-21T06:47:29.110

SOURCES RELEASE DATE

db:VULHUBid:VHN-411532date:2022-02-09T00:00:00
db:VULMONid:CVE-2022-22807date:2022-02-09T00:00:00
db:JVNDBid:JVNDB-2022-005149date:2023-05-19T00:00:00
db:CNNVDid:CNNVD-202202-896date:2022-02-09T00:00:00
db:NVDid:CVE-2022-22807date:2022-02-09T23:15:19.197