ID CVE-2018-10832
Summary ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal, will return the contents of any local files to a remote attacker.
References
Vulnerable Configurations
  • cpe:2.3:a:modbuspal_project:modbuspal:1.6:b:*:*:*:*:*:*
    cpe:2.3:a:modbuspal_project:modbuspal:1.6:b:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 13-06-2018 - 13:16)
Impact:
Exploitability:
CWE CWE-611
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
assigner via4 cve@mitre.org
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
refmap via4
exploit-db 44607
misc http://packetstormsecurity.com/files/147573/ModbusPal-1.6b-XML-External-Entity-Injection.html
vulnerable_product via4 cpe:2.3:a:modbuspal_project:modbuspal:1.6:b:*:*:*:*:*:*
Last major update 13-06-2018 - 13:16
Published 11-05-2018 - 21:29
Back to Top