Main Vulnerability Database Vulnerabilities #VU16218

Information disclosure in PNOZmulti Configurator - #VU16218

Published: December 3, 2018

Vulnerability identifier: #VU16218

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-312

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Pilz

Affected software:
PNOZmulti Configurator

Detailed vulnerability description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to cleartext storage of sensitive information in C:\ProgramData\Pilz\PNOZmulti Configurator v10.8.0\AppData\pmimicroconfig\UserSettings.xml. A local attacker with access to the PC file system that uses the software PNOZmulti
Configurator can read out sensitive data such as configuration data of an HMI device of type PMI m107 diag.

Remediation

Update to version 10.9.

Sources

https://applied-risk.com/application/files/2815/4357/1368/Advisory_AR2018007_Pilz_Configurator_Insec...

Information disclosure in PNOZmulti Configurator - #VU16218

Detailed vulnerability description

Remediation

Sources

Please verify you're human