CVE-2015-6463 - CodeWrights HART Comm DTM components, as used with Endress+Hauser FieldCare, allow remote attackers

CVE-2015-6463

Summary

CodeWrights HART Comm DTM components, as used with Endress+Hauser FieldCare, allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a longtag XML schema containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

References

https://ics-cert.us-cert.gov/advisories/ICSA-15-267-01

Vulnerable Configurations

cpe:2.3:o:codewrights:hart_comm_dtm:*:*:*:*:*:*:*:*
cpe:2.3:o:codewrights:hart_comm_dtm:*:*:*:*:*:*:*:*
cpe:2.3:o:endress\+hauser:hart_comm_dtm:*:*:*:*:*:*:*:*
cpe:2.3:o:endress\+hauser:hart_comm_dtm:*:*:*:*:*:*:*:*

CVSS

Base:	5.8 (as of 29-09-2015 - 19:17)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
ADJACENT_NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:A/AC:L/Au:N/C:P/I:P/A:P

refmap via4

misc

https://ics-cert.us-cert.gov/advisories/ICSA-15-267-01

Last major update

29-09-2015 - 19:17

Published

28-09-2015 - 02:59

Last modified

29-09-2015 - 19:17