Vulnerability Description
CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Schneider-Electric | Sage Rtu Firmware | < c3414-500-s02k5_p9 |
| Schneider-Electric | Sage 1410 | - |
| Schneider-Electric | Sage 1430 | - |
| Schneider-Electric | Sage 1450 | - |
| Schneider-Electric | Sage 2400 | - |
| Schneider-Electric | Sage 3030 Magnum | - |
| Schneider-Electric | Sage 4400 | - |
Related Weaknesses (CWE)
References
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocPatchVendor Advisory
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocPatchVendor Advisory
FAQ
What is CVE-2024-37038?
CVE-2024-37038 is a vulnerability with a CVSS score of 7.5 (HIGH). CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when craf...
How severe is CVE-2024-37038?
CVE-2024-37038 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-37038?
Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Sage Rtu Firmware, Schneider-Electric Sage 1410, Schneider-Electric Sage 1430, Schneider-Electric Sage 1450, Schneider-Electric Sage 2400.