Pilz: Vulnerability in PASvisu and PMI v8xx

Multiple Pilz products are affected by stored cross-site-scripting (XSS) vulnerabilities. The
vulnerabilities may enable an attacker to gain full control over the system.

Update: 27.02.2024 Fix typo in advisory title



The TRUMPF CAD/CAM software tools mentioned above use the vulnerable CodeMeter Runtime (up to version 7.60d) application from WIBU-SYSTEMS AG to manage licenses within the component TRUMPF License Expert. This CodeMeter application contains new vulnerabilities, which may enable an attacker to gain full access to the server or workstation on which the TRUMPF License Expert has been installed on. A new version of the TRUMPF License Expert which fixes these vulnerabilities is available.



Multiple vulnerabilities in the included versions of OpenSSL can lead to different problems, including crashes of the OpenSSL modules (leading to a Denial of Service) or leakage of plaintext. These underlying vulnerabilities can be fixed by installing a software update provided by TRUMPF.



The TRUMPF products that are listed above contain a vulnerable version of Notepad++. This version is
being installed for support purposes only, so there is no danger of triggering this vulnerability in
Notepad++ during normal operations. Nevertheless, TRUMPF recommends mitigation of this
vulnerability.
When editing a specially crafted file containing UTF-8 characters in Notepad++ (Versions up to 8.5.6) and converting that file to UTF-16, a buffer overflow vulnerability can be exploited that allows an attacker to execute arbitrary code to take over the whole system.



Under certain circumstances, opening a specially crafted 7-zip package can exploit an integer
underflow vulnerability in 7-zip versions up to and including 22.x
This vulnerability allows for a remote code execution, resulting in unauthorized (remote) access to,
change of data or disruption of the whole service.



A heap-based buffer overflow caused by libcurl and wrong whitespace character interpretation in Javascript, both used in CodeMeter Runtime affecting multiple products by WAGO. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations.



With TwinCAT/BSD based products the HTTPS request to the Authelia login page accepts user-controlled input that specifies a link to an external site.



Feeds

By Vendor

Archive

2024
2023
2022
2021
2020
2019
2018
2017

Legend

(Scoring for CVSS 2.0,3.0+3.1)
None
No CVE available
Low
0.1 <= 3.9
Medium
4.0 <= 6.9
High
7.0 <= 8.9
Critical
9.0 <= 10.0