Published:2023/10/23 Last Updated:2023/10/23
JVNVU#98683567
Improper restriction of XML external entity reference (XXE) vulnerability in OMRON CX-Designer
Overview
OMRON CX-Designer contains an improper restriction of XML external entity reference (XXE) vulnerability.
Products Affected
- CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4)
Description
CX-Designer provided by OMRON Corporation contains an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611).
Impact
If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer provides the below version that contains a fix for this vulnerability.
- CX-Designer Ver.3.750 or later (included in CX-One CXONE-AL[][]D-V4)
Vendor Status
| Vendor | Link |
| OMRON Corporation | Vulnerability Report on Improper Restriction of XML External Entity Reference in CX-Designer |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Base Score:
5.5
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-43624 |
| JVN iPedia |
|