Main Vulnerability Database SB2019051416

SB2019051416 - Deserialization of Untrusted Data in Siemens LOGO! Soft Comfort

Published: May 14, 2019 Updated: June 19, 2019

Security Bulletin ID SB2019051416

CSH Severity

High

Patch available

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2019-10924)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A local attacker can trick a legitimate user to open a manipulated project file, to execute arbitrary code on the targeted system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-102144.pdf