CVE-2019-10976 - Vulnerability Details - OpenCVE

Description

Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.

Published: 2019-07-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mitsubishi Electric

Mitsubishi Electric FR Configurator2

affected

Version	Status	Constraints
`Version 1.16S and prior`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:mitsubishielectric:electric_fr_configurator2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:electric_fr_configurator2:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2019-2690	Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00206.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.us-cert.gov/ics/advisories/icsa-19-204-01

History

No history.

Subscriptions

Mitsubishielectric Electric Fr Configurator2 Electric Fr Configurator2 Firmware

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2019-07-25T23:27:48.000Z

Updated: 2024-08-04T22:40:15.615Z

Reserved: 2019-04-08T00:00:00.000Z

Link: CVE-2019-10976

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-26T00:15:11.403

Modified: 2024-11-21T04:20:16.847

Link: CVE-2019-10976

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-611

{"containers": {"cna": {"affected": [{"product": "Mitsubishi Electric FR Configurator2", "vendor": "Mitsubishi Electric", "versions": [{"status": "affected", "version": "Version 1.16S and prior"}]}], "descriptions": [{"lang": "en", "value": "Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-25T23:27:48.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-204-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2019-10976", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mitsubishi Electric FR Configurator2", "version": {"version_data": [{"version_value": "Version 1.16S and prior"}]}}]}, "vendor_name": "Mitsubishi Electric"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsa-19-204-01", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-19-204-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:40:15.615Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-204-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-10976", "datePublished": "2019-07-25T23:27:48.000Z", "dateReserved": "2019-04-08T00:00:00.000Z", "dateUpdated": "2024-08-04T22:40:15.615Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mitsubishielectric:electric_fr_configurator2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C97C383-D103-4064-A5EC-5F998E7E8DF3", "versionEndExcluding": "1.16s", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mitsubishielectric:electric_fr_configurator2:-:*:*:*:*:*:*:*", "matchCriteriaId": "795E70FF-FD1A-4249-BB49-1CB3233EF6F6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files."}, {"lang": "es", "value": "FR Configurator2 de Mitsubishi Electric, versi\u00f3n 1.16S y anteriores. Esta vulnerabilidad es activada cuando la entrada pasada hacia el analizador XML no es saneada mientras se analiza el proyecto XML y/o el archivo de plantilla (.frc2). Una vez que un usuario abre el archivo, el atacante podr\u00eda leer archivos arbitrarios."}], "id": "CVE-2019-10976", "lastModified": "2024-11-21T04:20:16.847", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-26T00:15:11.403", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-204-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-204-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}