|Article No°||Product Name||Affected Version(s)|
|PC Worx||<= 1.88|
|PC Worx Express||<= 1.88|
PC Worx / -Express is vulnerable to a “zip slip” style vulnerability when loading a project file.
A maliciously crafted project archive could allow an attacker to unpack arbitrary files outside of the selected project directory
Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.
Automated systems in operation which were programmed with one of the above-mentioned products are not affected.
We strongly recommend customers to exchange project files only using secure file exchange services. Project files should not be exchanged via unencrypted email.
In addition, we recommend exchanging or storing project files together with a checksum to ensure their integrity.
With the next version of Automation Worx Software Suite additional plausibility checks for archive content will be implemented.
The vulnerability was discovered by Jake Baines of Dragos Inc.
We kindly appreciate the coordinated disclosure of these vulnerabilities by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.