CVE-2018-17889

Name of the Vulnerable Software and Affected Versions WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior WECON Technology Co., Ltd. PI Studio versions 4.2.34 and prior

Description The issue is caused by incorrect restriction of XML links to external objects in the XML analyzer of PI Studio development tools. This may allow a remote attacker to disclose protected information. The XMLParser in WECON PIStudio is vulnerable to an XML external entity injection attack when parsing project files, potentially leading to sensitive information disclosure.

Recommendations For WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior: Update to a version later than 4.1.9 to resolve the issue. For WECON Technology Co., Ltd. PI Studio versions 4.2.34 and prior: Update to a version later than 4.2.34 to resolve the issue. As a temporary workaround, consider restricting access to the XMLParser until a patch is available.