First published: Wed Jul 01 2020(Updated: )
mwe file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier is vulnerable to out-of-bounds read remote code execution. Manipulated PC Worx projects could lead to a remote code execution due to insufficient input data validation.
Credit: info@cert.vde.com
Affected Software | Affected Version | How to fix |
---|---|---|
Phoenixcontact Pc Worx | <1.87 | |
Phoenixcontact Pc Worx Express | <=1.87 | |
Phoenix Contact Automationworx | ||
Phoenix Contact PC Worx version 1.87 and prior | ||
Phoenix Contact PC Worx Express version 1.87 and prior |
With the next version of Automation Worx Software Suite (Version > 1.87) a sharpened input data validation with respect to buffer size and description of size and number of objects referenced in a file will be implemented.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this vulnerability is CVE-2020-12498.
The severity rating of CVE-2020-12498 is high (7.8).
Remote attackers can exploit CVE-2020-12498 by executing arbitrary code on affected installations of Phoenix Contact Automationworx.
To exploit CVE-2020-12498, the target must visit a malicious page or open a malicious file.
The affected software versions of Phoenix Contact Automationworx include PC Worx (up to version 1.87) and PC Worx Express (up to version 1.87).