CVE-2023-43624: Improper restriction of XML external entity reference (XXE) vulnerability in OMRON CX-Designer

Published:2023/10/23 Last Updated:2023/10/23

Overview

OMRON CX-Designer contains an improper restriction of XML external entity reference (XXE) vulnerability.

Products Affected

• CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4)

Regarding how to check versions, see the manual "CX-Designer Ver.3.[] USER’S MANUAL (V099-E1-12)" provided by the developer.

Description

CX-Designer provided by OMRON Corporation contains an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611).

Impact

If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The developer provides the below version that contains a fix for this vulnerability.

• CX-Designer Ver.3.750 or later (included in CX-One CXONE-AL[][]D-V4)

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector(AV)

Physical §

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required ®

None (N)

Scope(S)

Unchanged (U)

Changed ©

Confidentiality Impact©

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

Credit

Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert

JPCERT Reports

CERT Advisory

CPNI Advisory

TRnotes

CVE

CVE-2023-43624

JVN iPedia