Multiple remote code execution vulnerabilities have been fixed in Schneider Electric’s U.motion Builder.
The CVE-2018-7784 vulnerability is caused by input string data being improperly evaluated as a command by the application. This could allow attackers to execute code, read the stack, or cause a segmentation fault in the running application.
In addition, U.motion Builder is affected by an XSS vulnerability (CVE-2018-7786), which could allow injection of malicious scripts, and an improper input validation flaw (CVE-2018-7787), which could allow the disclosure of sensitive information.
U.motion Builder enables users to create projects for their U.motion devices, which provide comprehensive management functionality for residential and industrial spaces. U.motion is designed to automate a broad range of processes in buildings, from turning lights on and off to controlling power consumption and performing video surveillance. The solution is used in commercial and industrial spaces across the globe.