COMOS PDMS/E3D Interface Vulnerability Could Allow File Extraction

CVE-2024-54005

5.1MEDIUM

Key Information

Vendor: Siemens
Status: Comos V10.3; Comos V10.4.0; Comos V10.4.1; Comos V10.4.2
Vendor: CVE Published:; 10 December 2024

Summary

A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The PDMS/E3D Engineering Interface improperly handles XML External Entity (XXE) entries when communicating with an external application. This could allow an attacker to extract any file with a known location on the user's system or accessible network folders by injecting malicious data into the communication channel between the two systems.

Affected Version(s)

COMOS V10.3 < 0

COMOS V10.4.0 < 0

COMOS V10.4.1 < 0

Refferences

https://cert-portal.siemens.com/productcert/html/ssa-7016...

CVSS V3.1

Score:

5.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 10, 2024
Vulnerability Reserved
Nov 26, 2024

Collectors

NVD DatabaseMitre Database