Details of VAR-201308-0399

ID

VAR-201308-0399

TITLE

Schneider Electric OFS XML External Entity Injection Vulnerability

Trust: 0.9

sources: BID: 62081 // CNNVD: CNNVD-201308-517

DESCRIPTION

Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. Schneider Electric OFS software has errors in parsing XML external entities, allowing attackers to exploit the specially crafted XML data to obtain local resource information or consume a large amount of server resources. Schneider Electric OFS (OPC Factory Server) is a set of client applications that access data in real time from Schneider Electric (France). The application has features such as easy integration and custom interfaces. An XML external entity injection vulnerability exists in Schneider Electric OFS 3.40 and earlier. A local attacker could use this vulnerability to gain sensitive information or cause a denial of service

Trust: 1.35

sources: CNVD: CNVD-2013-12785 // CNNVD: CNNVD-201308-517 // BID: 62081

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-12785

AFFECTED PRODUCTS

vendor:	schneider	model:	electric ofs	scope:	eq	version:	3.x	Trust: 0.6
vendor:	schneider electric	model:	ofs	scope:	eq	version:	3.40	Trust: 0.3

sources: CNVD: CNVD-2013-12785 // BID: 62081

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2013-12785
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2013-12785
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2013-12785

THREAT TYPE

local

Trust: 0.9

sources: BID: 62081 // CNNVD: CNNVD-201308-517

TYPE

Unknown

Trust: 0.3

sources: BID: 62081

PATCH

title:

Patch for Schneider Electric OFS XML External Entity Reference Vulnerability

url:

https://www.cnvd.org.cn/patchinfo/show/39291

Trust: 0.6

sources: CNVD: CNVD-2013-12785

EXTERNAL IDS

db:	SCHNEIDER	id:	SEVD-2013-235-01	Trust: 0.9
db:	BID	id:	62081	Trust: 0.9
db:	SECUNIA	id:	54616	Trust: 0.6
db:	CNVD	id:	CNVD-2013-12785	Trust: 0.6
db:	CNNVD	id:	CNNVD-201308-517	Trust: 0.6

sources: CNVD: CNVD-2013-12785 // BID: 62081 // CNNVD: CNNVD-201308-517

REFERENCES

url:	http://download.schneider-electric.com/files?p_file_id=153783092&p_file_name=sevd-2013-235-01-ofs.pdf	Trust: 0.9
url:	http://www.secunia.com/advisories/54616/	Trust: 0.6
url:	http://www.securityfocus.com/bid/62081	Trust: 0.6
url:	http://www.schneider-electric.com/products/ww/en/	Trust: 0.3

sources: CNVD: CNVD-2013-12785 // BID: 62081 // CNNVD: CNNVD-201308-517

CREDITS

Reported by the vendor.

Trust: 0.3

sources: BID: 62081

SOURCES

db:	CNVD	id:	CNVD-2013-12785
db:	BID	id:	62081
db:	CNNVD	id:	CNNVD-201308-517

LAST UPDATE DATE

2022-05-17T02:05:56.444000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-12785	date:	2013-09-04T00:00:00
db:	BID	id:	62081	date:	2013-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201308-517	date:	2013-09-06T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-12785	date:	2013-09-04T00:00:00
db:	BID	id:	62081	date:	2013-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201308-517	date:	2013-08-23T00:00:00