Schneider Electric patched a vulnerability (CVE-2018-7783) in its SoMachine Basic that could result in the disclosure or retrieval of data during an out-of-band attack.
The vulnerability was identified as an out-of-band remote arbitrary data retrieval issue that impacts all versions of SoMachne Basic prior to v1.6 SP1.
“SoMachine Basic suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file,” the company said in a security alert.
The patch can be found here. The flaw was discovered by Gjoko Krstikj of Applied Risk.