ID

VAR-201807-1868


CVE

CVE-2018-7770


TITLE

Schneider Electric U.motion Builder sendmail email_attachment Parameter Information Disclosure Vulnerability

Trust: 0.8

sources: IVD: e2eb8ef1-39ab-11e9-8820-000c29342cb1 // CNVD: CNVD-2018-07818

DESCRIPTION

The vulnerability exists within processing of sendmail.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The applet allows callers to select arbitrary files to send to an arbitrary email address

Trust: 2.34

sources: NVD: CVE-2018-7770 // JVNDB: JVNDB-2018-007903 // CNVD: CNVD-2018-07818 // IVD: e2eb8ef1-39ab-11e9-8820-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2eb8ef1-39ab-11e9-8820-000c29342cb1 // CNVD: CNVD-2018-07818

AFFECTED PRODUCTS

vendor:schneider electricmodel:u.motionscope:ltversion:1.3.4

Trust: 1.0

vendor:schneider electricmodel:u.motion builder softwarescope:ltversion:1.3.4

Trust: 0.8

vendor:schneidermodel:electric u.motion builderscope:ltversion:1.3.4

Trust: 0.6

vendor:u motionmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e2eb8ef1-39ab-11e9-8820-000c29342cb1 // CNVD: CNVD-2018-07818 // JVNDB: JVNDB-2018-007903 // NVD: CVE-2018-7770

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-7770
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-7770
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-07818
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201807-155
value: MEDIUM

Trust: 0.6

IVD: e2eb8ef1-39ab-11e9-8820-000c29342cb1
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2018-7770
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-07818
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2eb8ef1-39ab-11e9-8820-000c29342cb1
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-7770
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: IVD: e2eb8ef1-39ab-11e9-8820-000c29342cb1 // CNVD: CNVD-2018-07818 // JVNDB: JVNDB-2018-007903 // CNNVD: CNNVD-201807-155 // NVD: CVE-2018-7770

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.0

problemtype:CWE-284

Trust: 0.8

sources: JVNDB: JVNDB-2018-007903 // NVD: CVE-2018-7770

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-155

TYPE

Path traversal

Trust: 0.8

sources: IVD: e2eb8ef1-39ab-11e9-8820-000c29342cb1 // CNNVD: CNNVD-201807-155

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-007903

PATCH

title:SEVD-2018-095-01url:https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-095-01+Security+Notification+Umotion+V1.1.pdf&p_Doc_Ref=SEVD-2018-095-01

Trust: 0.8

title:Schneider Electric U.motion Builder sendmail email_attachment patch for information disclosure vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/125979

Trust: 0.6

title:Schneider Electric U.motion Builder Repair measures for software security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81724

Trust: 0.6

sources: CNVD: CNVD-2018-07818 // JVNDB: JVNDB-2018-007903 // CNNVD: CNNVD-201807-155

EXTERNAL IDS

db:NVDid:CVE-2018-7770

Trust: 3.2

db:SCHNEIDERid:SEVD-2018-095-01

Trust: 2.2

db:CNVDid:CNVD-2018-07818

Trust: 0.8

db:CNNVDid:CNNVD-201807-155

Trust: 0.8

db:ICS CERTid:ICSA-17-180-02

Trust: 0.8

db:JVNDBid:JVNDB-2018-007903

Trust: 0.8

db:IVDid:E2EB8EF1-39AB-11E9-8820-000C29342CB1

Trust: 0.2

sources: IVD: e2eb8ef1-39ab-11e9-8820-000c29342cb1 // CNVD: CNVD-2018-07818 // JVNDB: JVNDB-2018-007903 // CNNVD: CNNVD-201807-155 // NVD: CVE-2018-7770

REFERENCES

url:https://www.schneider-electric.com/en/download/document/sevd-2018-095-01/

Trust: 1.6

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7770

Trust: 0.8

url:https://ics-cert.us-cert.gov/advisories/icsa-17-180-02

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-7770

Trust: 0.8

url:https://download.schneider-electric.com/files?p_endoctype=technical+leaflet&p_file_id=9607472623&p_file_name=sevd-2018-095-01+u.motion.pdf&p_reference=sevd-2018-095-01

Trust: 0.6

sources: CNVD: CNVD-2018-07818 // JVNDB: JVNDB-2018-007903 // CNNVD: CNNVD-201807-155 // NVD: CVE-2018-7770

SOURCES

db:IVDid:e2eb8ef1-39ab-11e9-8820-000c29342cb1
db:CNVDid:CNVD-2018-07818
db:JVNDBid:JVNDB-2018-007903
db:CNNVDid:CNNVD-201807-155
db:NVDid:CVE-2018-7770

LAST UPDATE DATE

2024-11-23T20:50:10.850000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2018-07818date:2018-04-18T00:00:00
db:JVNDBid:JVNDB-2018-007903date:2019-01-09T00:00:00
db:CNNVDid:CNNVD-201807-155date:2019-10-23T00:00:00
db:NVDid:CVE-2018-7770date:2024-11-21T04:12:42.250

SOURCES RELEASE DATE

db:IVDid:e2eb8ef1-39ab-11e9-8820-000c29342cb1date:2018-04-18T00:00:00
db:CNVDid:CNVD-2018-07818date:2018-04-18T00:00:00
db:JVNDBid:JVNDB-2018-007903date:2018-10-01T00:00:00
db:CNNVDid:CNNVD-201807-155date:2018-07-04T00:00:00
db:NVDid:CVE-2018-7770date:2018-07-03T14:29:00.837