cnvd - cnvd-2018-20475

cnvd-2018-20475

Vulnerability from cnvd

Title: Wecon LeviStudioU信息泄露漏洞

Description:

Wecon LeviStudioU是中国维控科技（Wecon Technologies）公司的一套人机界面编程软件。

Wecon LeviStudioU中项目文件的处理过程存在安全漏洞，该漏洞源于对XML外部实体引用限制不当。远程攻击者可借助特制的文档利用该漏洞在管理员的上下文中泄露信息。

Severity: 中

Formal description:

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： http://www.we-con.com.cn/en/

Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10614

Impacted products

Name
Wecon Technologies Wecon LeviStudioU

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-10614"
    }
  },
  "description": "Wecon LeviStudioU\u662f\u4e2d\u56fd\u7ef4\u63a7\u79d1\u6280\uff08Wecon Technologies\uff09\u516c\u53f8\u7684\u4e00\u5957\u4eba\u673a\u754c\u9762\u7f16\u7a0b\u8f6f\u4ef6\u3002\r\n\r\nWecon LeviStudioU\u4e2d\u9879\u76ee\u6587\u4ef6\u7684\u5904\u7406\u8fc7\u7a0b\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9XML\u5916\u90e8\u5b9e\u4f53\u5f15\u7528\u9650\u5236\u4e0d\u5f53\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684\u6587\u6863\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7ba1\u7406\u5458\u7684\u4e0a\u4e0b\u6587\u4e2d\u6cc4\u9732\u4fe1\u606f\u3002",
  "discovererName": "The NSFOCUS security team and Ghirmay Desta, working with Trend Micro\u2019s Zero Day Initiative, and Mat Powell and Jose Luis Zayas Banderas of Trend Micro\u2019s Zero Day",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttp://www.we-con.com.cn/en/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-20475",
  "openTime": "2018-10-10",
  "products": {
    "product": "Wecon Technologies Wecon LeviStudioU"
  },
  "referenceLink": "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10614",
  "serverity": "\u4e2d",
  "submitTime": "2018-10-08",
  "title": "Wecon LeviStudioU\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2018-10614 (GCVE-0-2018-10614)

Vulnerability from cvelistv5

Published

2018-10-09 21:00

Modified

2024-09-17 01:40

Severity ?

CWE

CWE-611 - IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE ('XXE')

Summary

An XXE vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be exploited when the application processes specially crafted project XML files.

References

▼	URL	Tags
	https://ics-cert.us-cert.gov/advisories/ICSA-18-212-03	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WECON Technology Co., Ltd	LeviStudioU	Version: Versions 1.8.29 and 1.8.44

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:46:46.137Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-212-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LeviStudioU",
          "vendor": "WECON Technology Co., Ltd",
          "versions": [
            {
              "status": "affected",
              "version": "Versions 1.8.29 and 1.8.44"
            }
          ]
        }
      ],
      "datePublic": "2018-07-31T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An XXE vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be exploited when the application processes specially crafted project XML files."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE (\u0027XXE\u0027) CWE-611",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T20:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-212-03"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2018-07-31T00:00:00",
          "ID": "CVE-2018-10614",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LeviStudioU",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions 1.8.29 and 1.8.44"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "WECON Technology Co., Ltd"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An XXE vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be exploited when the application processes specially crafted project XML files."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE (\u0027XXE\u0027) CWE-611"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-212-03",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-212-03"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2018-10614",
    "datePublished": "2018-10-09T21:00:00Z",
    "dateReserved": "2018-05-01T00:00:00",
    "dateUpdated": "2024-09-17T01:40:31.228Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted