CVE-2024-54005XML External Entity (XXE) Injection in Siemens Comos V10.3

CWE-611XML External Entity (XXE) Injection3 documents3 sources
Severity
5.9MEDIUMNVD
EPSS
0.1%
top 84.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Siemens Comos V10.3Siemens Comos V10.4.0Siemens Comos V10.4.1+4 more
Timeline
PublishedDec 10

Description

A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The PDMS/E3D Engineering Interface improperly handles XML External Entity (XXE) entries when communicating with an external application. This could allow an attacker to extract any file with a kn

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages7 packages

CVEListV5siemens/comos_v10.3< V10.3.3.5.8
CVEListV5siemens/comos_v10.4.0< *
CVEListV5siemens/comos_v10.4.1< *
CVEListV5siemens/comos_v10.4.2< *
CVEListV5siemens/comos_v10.4.3< V10.4.3.0.47

🔴Vulnerability Details

2
CVEList
CVE-2024-54005: A vulnerability has been identified in COMOS V102024-12-10
GHSA
GHSA-w23f-22px-mx2g: A vulnerability has been identified in COMOS V102024-12-10
CVE-2024-54005 — XML External Entity (XXE) Injection | cvebase