Desigo PXC4 and PXC5 Vulnerability in JavaScript Input Sanitization
CVE-2022-24039
9CRITICAL
Summary
A significant vulnerability exists in the Desigo PXC4 and Desigo PXC5 products due to inadequate sanitization of user-controllable input in the "addCell" JavaScript function. This flaw allows an attacker with limited access to manipulate content used for generating XLS reports, potentially injecting malicious XML tags. By exploiting this vulnerability, it is possible to generate malicious files that, when accessed by higher-privileged users, could result in Remote Code Execution (RCE) on an administrator's workstation.
Affected Version(s)
Desigo PXC4 All versions < V02.20.142.10-10884
Desigo PXC5 All versions < V02.20.142.10-10884
References
CVSS V3.1
Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved