XML External Entity injection in Mitsubishi Electric products - CVE-2021-20595
Published: July 2, 2021
Vulnerability identifier: #VU54512
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-20595
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
G-50A
GB-50A
GB-24A
AG-150A-A
AG-150A-J
GB-50ADA-A
GB-50ADA-J
EB-50GU-A
EB-50GU-J
AE-200A
AE-200E
AE-50A
AE-50E
EW-50A
EW-50E
TE-200A
TE-50A
TW-50A
CMS-RMD-J
PAC-YG50ECA
BAC-HD150
G-50A
GB-50A
GB-24A
AG-150A-A
AG-150A-J
GB-50ADA-A
GB-50ADA-J
EB-50GU-A
EB-50GU-J
AE-200A
AE-200E
AE-50A
AE-50E
EW-50A
EW-50E
TE-200A
TE-50A
TW-50A
CMS-RMD-J
PAC-YG50ECA
BAC-HD150
Software vendor:
Mitsubishi Electric
Mitsubishi Electric
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
Remediation
Install updates from vendor's website.