JVNVU#94200979
Improper restriction of XML external entity reference (XXE) vulnerability in OMRON CX-Motion Pro
Overview
OMRON CX-Motion Pro contains an improper restriction of XML external entity reference (XXE) vulnerability.
Products Affected
- CX-Motion Pro 1.4.6.013 and earlier
Description
CX-Motion Pro provided by OMRON Corporation contains an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611).
Impact
If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer provides the below version that contains a fix for this vulnerability through its CX-Motion Pro Auto-Update service.
- CX-Motion Pro 1.4.6.014
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-22322 |
| JVN iPedia |
|