Vulnerabilities > CVE-2018-10832 - XXE vulnerability in Modbuspal Project Modbuspal 1.6

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
local
low complexity
modbuspal-project
CWE-611
exploit available

Summary

ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal, will return the contents of any local files to a remote attacker.

Vulnerable Configurations

Part Description Count
Application
Modbuspal_Project
1

Exploit-Db

descriptionModbusPal 1.6b - XML External Entity Injection. CVE-2018-10832. Webapps exploit for Java platform
fileexploits/java/webapps/44607.txt
idEDB-ID:44607
last seen2018-05-24
modified2018-05-10
platformjava
port
published2018-05-10
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44607/
titleModbusPal 1.6b - XML External Entity Injection
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/147573/modbupal16b-xxe.txt
idPACKETSTORM:147573
last seen2018-05-10
published2018-05-10
reporterTrent Gordon
sourcehttps://packetstormsecurity.com/files/147573/ModbusPal-1.6b-XML-External-Entity-Injection.html
titleModbusPal 1.6b XML External Entity Injection