Improper Input Validation in Cscape by Horner Automation
CVE-2022-3378

7.8HIGH

Key Information:

Vendor: Horner Automation
Status: Cscape
Vendor: CVE Published:; 27 October 2022

🔔 Create Horner Automation Vulnerability Alert

What is CVE-2022-3378?

Horner Automation's Cscape software prior to version 9.90 SP 7 lacks proper validation of user-supplied data. This vulnerability occurs when a maliciously crafted FNT file is opened, potentially allowing an attacker to execute arbitrary code in the context of the current process. By exploiting an uninitialized pointer, the attacker can perform an out-of-bounds memory write, which poses serious risks to the security and integrity of the system.

Affected Version(s)

Cscape 0 <= 9.90

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-277-03

government-resource

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 27, 2022
Vulnerability Reserved
Sep 30, 2022

Credit

Michael Heinzl

CVE-2022-3378 Data

JSON