CVE-2023-28003
A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to
maintain unauthorized access over a hijacked session in PME after the legitimate user has
signed out of their account.
Source: CVE-2023-28003
CVE-2023-28440
Discourse is an open source platform for community discussion. In affected versions a maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untrusted. This issue has been addressed in versions 3.0.3 and 3.1.0.beta4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Source: CVE-2023-28440
CVE-2023-29411
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow
changes to administrative credentials, leading to potential remote code execution without
requiring prior authentication on the Java RMI interface.
Source: CVE-2023-29411
CVE-2023-25555
A CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS
Command Injection’) vulnerability exists that could allow a user that knows the credentials to
execute unprivileged shell commands on the appliance over SSH.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Source: CVE-2023-25555
CVE-2023-25554
A CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS
Command Injection’) vulnerability exists that allows a local privilege escalation on the appliance
when a maliciously crafted Operating System command is entered on the device.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Source: CVE-2023-25554
CVE-2023-25553
A CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site
Scripting’) vulnerability exists on a DCE endpoint through the logging capabilities of the
webserver.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Source: CVE-2023-25553
CVE-2023-25552
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized
content, changes or deleting of content, or performing unauthorized functions when tampering
the Device File Transfer settings on DCE endpoints.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Source: CVE-2023-25552
CVE-2023-25551
A CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site
Scripting’) vulnerability exists on a DCE file upload endpoint when tampering with parameters
over HTTP.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Source: CVE-2023-25551
CVE-2023-25550
A CWE-94: Improper Control of Generation of Code (‘Code Injection’) vulnerability exists that
allows remote code execution via the “hostname� parameter when maliciously crafted hostname
syntax is entered.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Source: CVE-2023-25550
CVE-2023-25549
A CWE-94: Improper Control of Generation of Code (‘Code Injection’) vulnerability exists that
allows for remote code execution when using a parameter of the DCE network settings
endpoint.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Source: CVE-2023-25549