Main Vulnerability Database Vulnerabilities #VU19522

#VU19522 XML External Entity injection in Mitsubishi Electric FR Configurator2 - CVE-2019-10976

Published: July 29, 2019 / Updated: July 29, 2019

Vulnerability identifier: #VU19522

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-10976

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mitsubishi Electric FR Configurator2

Software vendor:
Mitsubishi Electric

Description

The vulnerability allows a local attacker to gain access to sensitive information.

The vulnerability exists due to the input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). A remote attacker can trick a victim to open a specially crafted file and read arbitrary files on the target system.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.

Remediation

Install updates from vendor's website.

External links

https://www.mitsubishielectric.com/fa/download/software/drv/inv/vulnerability-protection/2019-001.pd...

#VU19522 XML External Entity injection in Mitsubishi Electric FR Configurator2 - CVE-2019-10976

Description

Remediation

External links

Please verify you're human