CVE-2022-24039 - OpenCVE

A vulnerability has been identified in Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The “addCell” JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator’s workstation.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Siemens	Desigo Pxc5 Desigo Pxc5 Firmware Desigo Pxc4 Desigo Pxc4 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:siemens:desigo_pxc5_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc5:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:siemens:desigo_pxc4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc4:-:*:*:*:*:*:*:*

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: siemens

Published: 2022-05-10T09:46:46

Updated: 2022-06-14T09:21:29

Reserved: 2022-01-27T00:00:00

Link: CVE-2022-24039

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-10T11:15:08.237

Modified: 2023-06-30T18:48:00.477

Link: CVE-2022-24039

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Desigo PXC4", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions < V02.20.142.10-10884"}]}, {"product": "Desigo PXC5", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions < V02.20.142.10-10884"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The \u201caddCell\u201d JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator\u2019s workstation."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-75", "description": "CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-14T09:21:29", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2022-24039", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Desigo PXC4", "version": {"version_data": [{"version_value": "All versions < V02.20.142.10-10884"}]}}, {"product_name": "Desigo PXC5", "version": {"version_data": [{"version_value": "All versions < V02.20.142.10-10884"}]}}]}, "vendor_name": "Siemens"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability has been identified in Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The \u201caddCell\u201d JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator\u2019s workstation."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)"}]}]}, "references": {"reference_data": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2022-24039", "datePublished": "2022-05-10T09:46:46", "dateReserved": "2022-01-27T00:00:00", "dateUpdated": "2022-06-14T09:21:29", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:desigo_pxc5_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B710014-DE57-43C2-9BFE-A4F8AF6542D5", "versionEndExcluding": "02.20.142.10-10884", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:desigo_pxc5:-:*:*:*:*:*:*:*", "matchCriteriaId": "C4E2A7F6-B6E5-4230-8F13-64745C434A71", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:desigo_pxc4_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "84D6AF5F-AD6D-4A30-9D72-31A3BA2A5DC3", "versionEndExcluding": "02.20.142.10-10884", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:desigo_pxc4:-:*:*:*:*:*:*:*", "matchCriteriaId": "0327220F-B5E6-4722-AEB2-BC4C21F1060D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The \u201caddCell\u201d JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator\u2019s workstation."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Desigo PXC4 (Todas las versiones anteriores a V02.20.142.10-10884), Desigo PXC5 (Todas las versiones anteriores a V02.20.142.10-10884). La funci\u00f3n JavaScript \"addCell\" no sanea adecuadamente la entrada controlable por el usuario antes de incluirla en el cuerpo XML generado del documento de informe XLS, de modo que es posible inyectar contenido arbitrario (por ejemplo, etiquetas XML) en el archivo generado. Un atacante con privilegios restringidos, al envenenar cualquiera de los contenidos utilizados para generar informes XLS, podr\u00eda aprovechar la aplicaci\u00f3n para entregar archivos maliciosos contra usuarios con mayores privilegios y obtener la Ejecuci\u00f3n Remota de C\u00f3digo (RCE) contra la estaci\u00f3n de trabajo del administrador"}], "id": "CVE-2022-24039", "lastModified": "2023-06-30T18:48:00.477", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-10T11:15:08.237", "references": [{"source": "productcert@siemens.com", "tags": ["Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-75"}], "source": "productcert@siemens.com", "type": "Secondary"}]}