CVE-2018-17889: XEE
First published: Thu Oct 04 2018(Updated: )
In WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior and PI Studio versions 4.2.34 and prior when parsing project files, the XMLParser that ships with Wecon PIStudio is vulnerable to a XML external entity injection attack, which may allow sensitive information disclosure.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| We-con Pi Studio | <=4.2.34 | |
| We-con Pi Studio Hmi | <=4.1.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-17889?
CVE-2018-17889 has a medium severity rating due to its potential for sensitive information disclosure.
How do I fix CVE-2018-17889?
To mitigate CVE-2018-17889, update to Wecon PI Studio version 4.2.35 or later and PI Studio HMI version 4.2.10 or later.
What types of attacks does CVE-2018-17889 allow?
CVE-2018-17889 allows for XML external entity injection attacks, which can lead to sensitive data exposure.
Which versions of Wecon PI Studio are affected by CVE-2018-17889?
Wecon PI Studio versions up to 4.2.34 and PI Studio HMI versions up to 4.1.9 are affected by CVE-2018-17889.
Is sensitive data at risk with CVE-2018-17889?
Yes, vulnerable instances of Wecon PI Studio could expose sensitive data due to XML external entity injection.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/references
- agent/severity
- agent/weakness
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- vendor/we-con
- canonical/we-con pi studio
- version/we-con pi studio/4.2.34
- canonical/we-con pi studio hmi
- version/we-con pi studio hmi/4.1.9