CVE-2024-49704XML External Entity (XXE) Injection in Siemens Comos V10.3

CWE-611XML External Entity (XXE) Injection3 documents3 sources
Severity
5.7MEDIUMNVD
EPSS
0.1%
top 78.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Siemens Comos V10.3Siemens Comos V10.4.0Siemens Comos V10.4.1+4 more
Timeline
PublishedDec 10

Description

A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The Generic Data Mapper, the Engineering Adapter, and the Engineering Interface improperly handle XML External Entity (XXE) entries when parsing configuration and mapping files. This could allow

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages7 packages

CVEListV5siemens/comos_v10.3< V10.3.3.5.8
CVEListV5siemens/comos_v10.4.0< *
CVEListV5siemens/comos_v10.4.1< *
CVEListV5siemens/comos_v10.4.2< *
CVEListV5siemens/comos_v10.4.3< V10.4.3.0.47

🔴Vulnerability Details

2
GHSA
GHSA-f34q-hm3j-vf93: A vulnerability has been identified in COMOS V102024-12-10
CVEList
CVE-2024-49704: A vulnerability has been identified in COMOS V102024-12-10
CVE-2024-49704 — XML External Entity (XXE) Injection | cvebase