#VU66579 Path traversal in Proficy Machine Edition
Vulnerability identifier: #VU66579
Vulnerability risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-22
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Proficy Machine Edition
Server applications /
Other server solutions
Vendor: Emerson
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can perform a ZipSlip attack through an upload procedure and execute arbitrary code on the target system.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
Proficy Machine Edition: 9.80
External links
http://ics-cert.us-cert.gov/advisories/icsa-22-228-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
