Pilz: PAS 4000 prone to ZipSlip

PAS4000 is the software platform for the Automation System PSS 4000. PAS 4000 does not properly check pathnames contained in archives. An attacker can utilise this vulnerability to write arbitrary files, potentially leading to code execution.



Pilz: Multiple products affected by ZipSlip

Several Pilz software products do not properly check pathnames contained in archives. An attacker can utilise this vulnerability to write arbitrary files, potentially leading to code execution.



PASvisu is an HMI solution for Machine Visualization. It is available as a standalone software product, but it is also included in various models of the PMI product family. The PASvisu Server component contains multiple vulnerabilities which can be utilised to write arbitrary files, potentially leading to code execution.



The software product PMC programming tool from Pilz is based on the software CODESYS Development System from CODESYS GmbH. This software is affected by several vulnerabilities, which an attacker can exploit locally or via the network. This means that, in a worst case, attackers could execute arbitrary program code on the PC on which the PMC programming tool is used.



Several Pilz products use Versions V2 and V3 of the CODESYS runtime system from CODESYS GmbH, which enables the execution of IEC 61131-3 PLC programs. These runtime environments contain several vulnerabilities, which an attacker can exploit via the network. Successful exploitation of the vulnerabilities results in reduced availability and, in a worst case, to the insertion of program code.



The software product PMC programming tool from Pilz is based on the software CODESYS Development System from CODESYS GmbH. This software is affected by several vulnerabilities, which an attacker can exploit locally or via the network. This means that, in a worst case, attackers could execute arbitrary program code on the PC on which the PMC programming tool is used.



Multiple products of PILZ utilise a third-party TCP/IP implementation - the "Niche Ethernet Stack". This TCP/IP stack contains multiple vulnerabilities which are therefore affecting the products listed above.



A number of Pilz software tools use the CodeMeter Runtime application from WIBU-SYSTEMS AG to manage licences. This application contains a number of vulnerabilities, which enable an attacker to change and falsify a licence file, prevent normal operation of Code- Meter (Denial-of-Service) and potentially execute arbitrary code.



Feeds

Nach Hersteller

Archiv

2023
2022
2021
2020
2019
2018
2017

Legende

(Scoring für CVSS 2.0,3.0+3.1)
keine
Kein CVE verfügbar
Niedrig
0.1 <= 3.9
Mittel
4.0 <= 6.9
Hoch
7.0 <= 8.9
Kritisch
9.0 <= 10.0