Vulnerabilities > CVE-2018-17889 - XXE vulnerability in We-Con PI Studio and PI Studio HMI

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

we-con

CWE-611

NVD

Published: 2018-10-08

Updated: 2019-10-09

Summary

In WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior and PI Studio versions 4.2.34 and prior when parsing project files, the XMLParser that ships with Wecon PIStudio is vulnerable to a XML external entity injection attack, which may allow sensitive information disclosure.

Vulnerable Configurations

Part	Description	Count
Application	We-Con WE CON PI Studio - WE CON PI Studio 4.2.34 WE CON PI Studio HMI - WE CON PI Studio HMI 4.1.9	4

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://ics-cert.us-cert.gov/advisories/ICSA-18-277-01