#VU29429 XML External Entity injection in Mitsubishi Electric products - CVE-2020-5602
Published: July 1, 2020
Vulnerability identifier: #VU29429
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-5602
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
CPU Module Logging Configuration Tool
CW Configurator
EM Software Development Kit
GT Designer3
GX LogViewer
GX Works2
GX Works3
M_CommDTM-HART
M_CommDTM-IO-Link
MELFA-Works
MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool
MELSOFT FieldDeviceConfigurator
MELSOFT iQ AppPortal
MELSOFT Navigator
MI Configurator
Motion Control Setting
MR Configurator2
MT Works2
RT ToolBox2
RT ToolBox3
CPU Module Logging Configuration Tool
CW Configurator
EM Software Development Kit
GT Designer3
GX LogViewer
GX Works2
GX Works3
M_CommDTM-HART
M_CommDTM-IO-Link
MELFA-Works
MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool
MELSOFT FieldDeviceConfigurator
MELSOFT iQ AppPortal
MELSOFT Navigator
MI Configurator
Motion Control Setting
MR Configurator2
MT Works2
RT ToolBox2
RT ToolBox3
Software vendor:
Mitsubishi Electric
Mitsubishi Electric
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can send a specially crafted file on the computer running the product to the outside and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
Remediation
Install updates from vendor's website.