CVE-2018-7783 - OpenCVE

Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Somachine Basic

Configuration 1 [-]

cpe:2.3:a:schneider-electric:somachine_basic:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.schneider-electric.com/en/download/document/SEVD-2018-142-01/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2018-05-22T00:00:00

Updated: 2018-07-03T13:57:01

Reserved: 2018-03-08T00:00:00

Link: CVE-2018-7783

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-07-03T14:29:01.477

Modified: 2022-01-31T19:43:33.913

Link: CVE-2018-7783

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "SoMachine Basic", "vendor": "Schneider Electric SE", "versions": [{"status": "affected", "version": "SoMachine Basic prior to v1.6 SP1"}]}], "datePublic": "2018-05-22T00:00:00", "descriptions": [{"lang": "en", "value": "Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file."}], "problemTypes": [{"descriptions": [{"description": "Out-Of-Band Remote Arbitrary Data Retrieval", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-03T13:57:01", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-142-01/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "DATE_PUBLIC": "2018-05-22T00:00:00", "ID": "CVE-2018-7783", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SoMachine Basic", "version": {"version_data": [{"version_value": "SoMachine Basic prior to v1.6 SP1"}]}}]}, "vendor_name": "Schneider Electric SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Out-Of-Band Remote Arbitrary Data Retrieval"}]}]}, "references": {"reference_data": [{"name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-142-01/", "refsource": "CONFIRM", "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-142-01/"}]}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2018-7783", "datePublished": "2018-05-22T00:00:00", "dateReserved": "2018-03-08T00:00:00", "dateUpdated": "2018-07-03T13:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:somachine_basic:*:*:*:*:*:*:*:*", "matchCriteriaId": "63224499-979C-451A-8E6A-98E65F295166", "versionEndIncluding": "1.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file."}, {"lang": "es", "value": "Schneider Electric SoMachine Basic en versiones anteriores a la v1.6 SP1 sufre una vulnerabilidad XXE (XML External Entity) mediante la t\u00e9cnica de entidades de par\u00e1metros DTD, resultando en la revelaci\u00f3n y recuperaci\u00f3n de datos arbitrarios en el nodo afectado mediante un ataque OOB (out-of-band). La vulnerabilidad se desencadena cuando la entrada pasada al analizador xml no se sanea cuando se analiza el archivo de proyecto/plantilla xml."}], "id": "CVE-2018-7783", "lastModified": "2022-01-31T19:43:33.913", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-03T14:29:01.477", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-142-01/"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}