Phoenix Contact: PC Worx/-Express prone to improper input validation vulnerability
CVE-2021-34597

7.8HIGH

Key Information:

Vendor: Phoenix Contact
Status: Pc Worx
Vendor: CVE Published:; 4 November 2021

Summary

Improper Input Validation vulnerability in PC Worx Automation Suite of Phoenix Contact up to version 1.88 could allow an attacker with a manipulated project file to unpack arbitrary files outside of the selected project directory.

Affected Version(s)

PC Worx PC Worx <= 1.88

PC Worx PC Worx-Express <= 1.88

References

https://cert.vde.com/en/advisories/VDE-2021-052/

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2021
Vulnerability Reserved
Jun 10, 2021

Credit

The vulnerability was discovered by Jake Baines of Dragos Inc. We kindly appreciate the coordinated disclosure of these vulnerabilities by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.