Schneider Electric Web Designer for Modicon

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 7.8
  • ATTENTION: Low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Web Designer for Modicon
  • Vulnerability: Improper Restriction of XML External Entity Reference

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in information disclosure, workstation integrity and potential remote code execution on the compromised computer.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Web Designer for Modicon are affected:

  • Web Designer for BMXNOR0200H: All versions
  • Web Designer for BMXNOE0110(H): All versions
  • Web Designer for BMENOC0311(C): All versions
  • Web Designer for BMENOC0321(C): All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

The affected product is vulnerable to an improper restriction of XML external entity reference vulnerability that could cause information disclosure, impacts to workstation integrity, and potential remote code execution on the compromised computer when a specifically crafted XML file is imported in the Web Designer configuration tool.

CVE-2024-12476 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION:[…]
    Content was cut in order to protect the source.Please visit the source for the rest of the article.

    This article has been indexed from All CISA Advisories

    Read the original article: