12日,zero day網站(zdi)一口氣公布了施耐德20多個0day,公開的原因是,從漏洞送出給廠商,到釋出資訊時止,已經超過了zdi跟廠商約定的120天時間。0day大多是涉及到 u.motion builder。内容太多了,大家慢慢看吧。u.motion builder據說跟樓宇能效管理系統相關。
<b>zdi-17-392</b>
cve:
published: 2017-06-12
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-392">(0day) schneider electric u.motion builder local privilege escalation vulnerability</a>
<b>zdi-17-391</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-391">(0day) schneider electric u.motion builder embedded session id authentication bypass vulnerability</a>
<b>zdi-17-390</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-390">(0day) schneider electric u.motion builder css.inc directory traversal information disclosure vulnerability</a>
<b>zdi-17-389</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-389">(0day) schneider electric u.motion builder runscript directory traversal information disclosure vulnerability</a>
<b>zdi-17-388</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-388">(0day) schneider electric u.motion builder file_picker directory traversal arbitrary file upload remote code execution vulnerability</a>
<b>zdi-17-387</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-387">(0day) schneider electric u.motion builder soap request remote sql command execution vulnerability</a>
<b>zdi-17-386</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-386">(0day) schneider electric u.motion builder error message path information disclosure vulnerability</a>
<b>zdi-17-385</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-385">(0day) schneider electric u.motion builder error information disclosure vulnerability</a>
<b>zdi-17-384</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-384">(0day) schneider electric u.motion builder editobject sql injection remote code execution vulnerability</a>
<b>zdi-17-383</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-383">(0day) schneider electric u.motion builder xmlserver sql injection remote code execution vulnerability</a>
<b>zdi-17-382</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-382">(0day) schneider electric u.motion builder track_getdata sql injection remote code execution vulnerability</a>
<b>zdi-17-381</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-381">(0day) schneider electric u.motion builder nfcserver sql injection remote code execution vulnerability</a>
<b>zdi-17-380</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-380">(0day) schneider electric u.motion builder localize sql injection remote code execution vulnerability</a>
<b>zdi-17-379</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-379">(0day) schneider electric u.motion builder syslog_getdata sql injection remote code execution vulnerability</a>
<b>zdi-17-378</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-378">(0day) schneider electric u.motion builder track_import_export sql injection remote code execution vulnerability</a>
<b>zdi-17-377</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-377">(0day) schneider electric u.motion builder http cookie sql injection remote code execution vulnerability</a>
<b>zdi-17-376</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-376">(0day) schneider electric u.motion builder editscript directory traversal remote code execution vulnerability</a>
<b>zdi-17-375</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-375">(0day) schneider electric u.motion builder message_simple_html reboot parameter denial of service vulnerability</a>
<b>zdi-17-374</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-374">(0day) schneider electric u.motion builder loadtemplate sql injection remote code execution vulnerability</a>
<b>zdi-17-373</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-373">(0day) schneider electric u.motion builder sendmail email_attachment parameter absolute path traversal information disclosure vulnerability</a>
<b>zdi-17-372</b>
<a href="http://www.zerodayinitiative.com/advisories/zdi-17-372">(0day) schneider electric u.motion builder hard-coded password remote code execution vulnerability</a>
原文釋出時間:2017年6月13日
本文由:zeroday釋出,版權歸屬于原作者
原文連結:http://toutiao.secjia.com/schneider-u-motion-builder-exposes-0day-vulnerabilities
本文來自雲栖社群合作夥伴安全加,了解相關資訊可以關注安全加網站