CVE-2012-4709

Invensys Wonderware InTouch HMI 2012 R2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS v2.0 6.9 MEDIUM

6.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01	US Government Resource
http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01	US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:invensys:wonderware_intouch:*:r2:*:*:*:*:*:*

History

21 Nov 2024, 01:43

Type	Values Removed	Values Added
References	~~() http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01 - US Government Resource~~	() http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01 - US Government Resource

Information

Published : 2013-10-13 10:20

Updated : 2024-11-21 01:43

NVD link : CVE-2012-4709

Mitre link : CVE-2012-4709

CVE.ORG link : CVE-2012-4709

JSON object : View

Products Affected

invensys

wonderware_intouch

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

{"id": "CVE-2012-4709", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2013-10-13T10:20:02.927", "references": [{"url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01", "tags": ["US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01", "tags": ["US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "Invensys Wonderware InTouch HMI 2012 R2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}, {"lang": "es", "value": "Invensys Wonderware InTouch HMI 2012 R2 y anteriores permite a atacantes remotos leer archivos de forma arbitraria, enviar peticiones HTTP a servidores de intranet o causar una denegaci\u00f3n de servicio (consumo de memoria y CPU) a trav\u00e9s de un documento XML que contienen declaraciones de entidad externas en conjunto con una referencia a entidad, relacionado con el problema XML External Entity (XXE)"}], "lastModified": "2024-11-21T01:43:23.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:invensys:wonderware_intouch:*:r2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC170EC3-5D1F-4819-9E8F-30616BCCEFBF", "versionEndIncluding": "2012"}], "operator": "OR"}]}], "evaluatorComment": "AV:L per http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01\n\n'This vulnerability is not exploitable remotely'", "sourceIdentifier": "ics-cert@hq.dhs.gov"}