CVE-2024-1167 - Vulnerability Details - OpenCVE

When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00084.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Seweurodrive	Movitools Motionstudio

Configuration 1 [-]

cpe:2.3:a:seweurodrive:movitools_motionstudio:6.5.0.2:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-16935	When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.

Fixes

Solution

No solution given by the vendor.

Workaround

SEW-EURODRIVE has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of MOVITOOLS MotionStudio are invited to contact SEW-EURODRIVE https://www.seweurodrive.com/contact_us/contact_us.html for additional information.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01
https://www.seweurodrive.com/contact_us/contact_us.html

History

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00128}`	epss `{'score': 0.00084}`

Thu, 15 May 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-02-01T18:01:24.776Z

Updated: 2025-05-15T19:51:29.890Z

Reserved: 2024-02-01T17:50:04.071Z

Link: CVE-2024-1167

Vulnrichment

Updated: 2024-08-01T18:33:24.882Z

NVD

Status : Modified

Published: 2024-02-01T18:15:53.637

Modified: 2024-11-21T08:49:56.880

Link: CVE-2024-1167

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1167", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-02-01T17:50:04.071Z", "datePublished": "2024-02-01T18:01:24.776Z", "dateUpdated": "2025-05-15T19:51:29.890Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MOVITOOLS MotionStudio", "vendor": "SEW-EURODRIVE", "versions": [{"status": "affected", "version": "6.5.0.2"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Esjay working with Trend Micro Zero Day Initiative reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.</span>\n\n"}], "value": "\nWhen SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-02-01T18:01:24.776Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01"}, {"url": "https://www.seweurodrive.com/contact_us/contact_us.html"}], "source": {"discovery": "EXTERNAL"}, "title": "SEW-EURODRIVE MOVITOOLS MotionStudio Improper Restriction of XML External Entity Reference", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">SEW-EURODRIVE has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of MOVITOOLS MotionStudio are invited to contact </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.seweurodrive.com/contact_us/contact_us.html\">SEW-EURODRIVE</a><span style=\"background-color: rgb(255, 255, 255);\"> for additional information.</span>\n\n<br>"}], "value": "\nSEW-EURODRIVE has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of MOVITOOLS MotionStudio are invited to contact SEW-EURODRIVE https://www.seweurodrive.com/contact_us/contact_us.html \u00a0for additional information.\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:24.882Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01", "tags": ["x_transferred"]}, {"url": "https://www.seweurodrive.com/contact_us/contact_us.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T15:50:16.014843Z", "id": "CVE-2024-1167", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T19:51:29.890Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01", "tags": ["x_transferred"]}, {"url": "https://www.seweurodrive.com/contact_us/contact_us.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:24.882Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1167", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T15:50:16.014843Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T15:50:17.519Z"}}], "cna": {"title": "SEW-EURODRIVE MOVITOOLS MotionStudio Improper Restriction of XML External Entity Reference", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Esjay working with Trend Micro Zero Day Initiative reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SEW-EURODRIVE", "product": "MOVITOOLS MotionStudio", "versions": [{"status": "affected", "version": "6.5.0.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01"}, {"url": "https://www.seweurodrive.com/contact_us/contact_us.html"}], "workarounds": [{"lang": "en", "value": "\nSEW-EURODRIVE has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of MOVITOOLS MotionStudio are invited to contact SEW-EURODRIVE https://www.seweurodrive.com/contact_us/contact_us.html \u00a0for additional information.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">SEW-EURODRIVE has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of MOVITOOLS MotionStudio are invited to contact </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.seweurodrive.com/contact_us/contact_us.html\">SEW-EURODRIVE</a><span style=\"background-color: rgb(255, 255, 255);\"> for additional information.</span>\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nWhen SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.</span>\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-02-01T18:01:24.776Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1167", "state": "PUBLISHED", "dateUpdated": "2025-05-15T19:51:29.890Z", "dateReserved": "2024-02-01T17:50:04.071Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-02-01T18:01:24.776Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:seweurodrive:movitools_motionstudio:6.5.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "12CC889F-0ECB-4127-BF4C-C9496B0C5884", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nWhen SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.\n\n"}, {"lang": "es", "value": "Cuando SEW-EURODRIVE MOVITOOLS MotionStudio procesa informaci\u00f3n XML, se puede acceder sin restricciones a los archivos."}], "id": "CVE-2024-1167", "lastModified": "2024-11-21T08:49:56.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-01T18:15:53.637", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://www.seweurodrive.com/contact_us/contact_us.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.seweurodrive.com/contact_us/contact_us.html"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}